Page 235 - AugDefComp
P. 235

Public Sector Retirement


        News & Views | Q3 2021


































        DEPARTMENT OF LABOR CYBERSECURITY GUIDELINES


        For the first time, the Employee Benefits Security Administration, a division of the Department of Labor, issued three-part guidance
        on cybersecurity for plan sponsors and fiduciaries. Because plan sponsors rely on their service providers to keep participant data
        and plan accounts secure, it is imperative that cybersecurity controls are strong.  This new guidance covers three major areas: Tips
        for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips.

        The guidance is specifically directed at plans subject to the Employee Retirement Income Security Act (ERISA).  Although
        governmental defined contribution plans are not subject to ERISA, the Act’s provisions are widely recognized as guidelines for best
        practices.  This new guidance provides insights for managing the cybersecurity aspects of retirement plans, and may also factor into
        governmental plan RFPs, contracting and service relationships.

        When hiring a service provider, the guidance recommends asking about their security standards, policies and practices.  Requesting
        past audit results that verify information security and integrity can increase your levels of confidence in their ability to demonstrate
        strong controls.  Asking whether they have experienced past breaches and how they handled such situations can help you
        understand their approach to protecting client data.  Finally, it is recommended that you require they hold insurance policies that
        will cover any losses resulting from a data breach.

        When negotiating the contract with the service provider, the guidance recommends that ongoing cyber- and data security standards
        be included in the contract language.  Security standards can include requiring a third party security audit; specification of which
        information can be shared and when; a requirement for the service provider to immediately notify the plan sponsor if a security
        incident occurred, including steps to investigate and correct the breach and steps to prevent future security incidents. Additionally,
        it is recommended that insurance coverage be required, such as professional liability, error and omissions liability, cyber liability
        and privacy breach insurance.  It is important for the plan sponsor to understand terms and  limits to ensure the policy will provide
        adequate coverage.

        The full guidance statement can be viewed here1.   In addition, NAGDCA published a summary of the guidance and it can be
        viewed here2.
   230   231   232   233   234   235   236   237   238   239   240