The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers.
Tim Hauser, Deputy Assistant Secretary for DOL’s Employee Benefit Security Administration (EBSA) has indicated that we should expect more focus in the department’s investigations of the adequacy of various cybersecurity programs to confirm that service providers plan sponsors hire are practicing effective cybersecurity practices.
Mr. Hauser also indicated that the forthcoming guidance would be informal, and not a formal notice and comment.
Plan Sponsor Considerations
- The DOL expects there to be questions asked when hiring a TPA or record-keeper.
- What practices and policies does the service provider have to ensure their systems are secure?
- Does the service provider have regular third-party audits by an independent entity?
- How does the third party validate the cybersecurity of their systems?
- Is there any history of cybersecurity incidents? If so, what is their track record?
- What did they learn from any prior incidents, and how have they improved their defensive processes?
- Do they indemnify their clients in event of security systems breaches that result in losses?
- Do they have insurance policies to make you whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?
In the event a security breach is identified and an offender has achieved access to confidential information, the plan sponsor should produce a documented response, including notifying law enforcement, the FBI, the plan, and their participants.
Summit Group 401(k) Consulting will share when an official final guidance package is made available, so be sure to check back for updates.