US. DOL Issues Cybersecurity Best Practices for Retirement Plans
The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) on April 14 issued much-anticipated cybersecurity guidance for employee retirement plans. The essence of the guidance is that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
Read also Comfortable retirement still on track for most Americans despite pandemic – survey
EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:
Read also The Taxation of Pensions
- Cybersecurity Program Best Practices.
- Tips for Hiring a Service Provider with Strong Security Practices.
- Online Security Tips.
Best Practices
Acknowledging that employer-sponsored plans subject to the Employee Retirement Income Security Act (ERISA) hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of EBSA’s best practices include:
Read also Australian regulator issues long-awaited climate risk guidance
- Maintain a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third-party audit of security controls.
- Follow strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security
- reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
Read more @SHRM
337 views