With a set of new guidance on cybersecurity issued by the Labor Department, a recent webcast outlined some key takeaways—and action steps.
In April, the Labor Department issued three separate sets of guidance—for plan sponsors (on picking vendors) for vendors (on cybersecurity program best practices, and for participants (related to their online security). As part of a June 22 CAPTRUST webinar on the subject, CAPTRUST Chief Technology Officer Jon Meyer noted that a distinction should be made between cybersecurity and cyber fraud, that the former is typically managed at an organization level, while the latter is often at the participant level. Consequently, the Labor Department guidance for plan sponsors and providers was more cybersecurity-related, while the participant part was focused on steps they could take to prevent cyber fraud. Meyer also explained that cyber fraud,[1] unlike cybersecurity, was not necessarily limited to technology.
CAPTRUST Senior Financial Advisor Mike Webb noted that the Labor Department guidance was issued because… “We really needed it.” He explained that the Labor Department hadn’t issued guidance on the subject before, and while it wasn’t your typical guidance (with a proposal, discussions and commentary, followed by a final rule), he noted that it was only 10 pages long, accessible, and easy to read and understand. It also happened to follow a report by the Government Accountability Office (GAO) that had called on the Labor Department to provide some clarity on the subject.
Jennfier Doss, Senior Director and DC Practice Leader at CAPTRUST, commented that a frequent question from plan sponsors is whether had this guidance changed their responsibility. Webb stated that it had not; their fundamental fiduciary responsibility remains unchanged—that they have a responsibility to protect the accounts and assets of participants, as has been the case for years. “The guidance affirms what most probably know,” he said, but noted that one big difference in terms of the way it was released is that smaller plan sponsors, in particular, may see it as a wake-up call, alongside specific things they can do right away. Perhaps more significantly, he noted that Labor Department audits are already focusing on this.
Devyn Duex, an institutional retirement plan advisor at CAPTRUST, noted that she’s heard a “range” of perspectives and concerns from plan sponsors. While acknowledging that the new guidance is only 10 pages, she noted that for many it was still somewhat overwhelming. “Where am I supposed to be looking? Where does the true risk lie, and how much risk do we have versus the recordkeeper?” were typical of the plan sponsor inquiries she’s heard.
While the guidance provided a framework, and while she noted it was nice to have that framework, “lanes to function in,” and “now you know what they’ll be looking for,” she said that this was the time to check on insurance coverages, to make sure that cybercrime coverage includes cybercrime activity related to the retirement plan. Duex explained that while most large recordkeepers are probably positioned to help and that many have some kind of security guarantee, it’s important to know what happens if there is a breach, and what kinds of protection the plan fiduciaries have in that event. She also commented that different providers had different ways for participants to qualify for those protections, such as having in place multifactor authentication or to have logged onto their account at some point.
Meyer noted that the focus should be directed at those who are processing and storing confidential/sensitive information, since that that is where the risk is, and that due diligence processes should be focused on that risk, which would be greater for entities like recordkeepers or payroll providers.
Duex cited a review of SOC1 and SOC2 audit reports, and Meyer affirmed that, counselling to focus specifically on SOC2, type 2 reports, alongside the need to “get beyond the marketing verbiage.” He advised asking for executive summaries, and to focus on actual execution of procedures and controls, and how they are working.
An audience member asked if it would be useful to ask how much the provider spent on this. “It’s a fair question,” Meyer said, “but I’m not sure what it would tell you.” Instead he encouraged them to probe deeper regarding other metrics, since budget spend isn’t necessarily evidence that the money is being spent well or effectively.
Suggested Actions
The panel offered the following suggestions:
- Implement a structured vendor due diligence process.
- Understand the difference between cybersecurity and fraud protection so you can ask questions related to both.
- Find out the percentage of participants that have never logged on to their account—and formulate a plan to address the issue, specifically if it is in excess of 50%. Webb said not to be surprised if it is a larger number than expected.
- Work with your recordkeeper to communicate and educate employees about security best practices.
- See if your fiduciary liability policy covers cybercrime for your retirement plan.
- Check the indemnification language in your vendor agreements.
- Document all discussions and considerations related to your cybersecurity due diligence process.
Key Takeaways
The CAPTRUST panel wrapped up the discussion with the following takeaways:
- The DOL guidance didn’t change plan sponsor responsibilities, but did provide a better framework to follow going forward.
- There are actions that can be taken now; identify the vendors that maintain and protect plan data, review their contracts for indemnification provisions, and communicating best practices with participants.
- Demand that vendors be excellent standards of your data, and ask that providers spend time explaining their cybersecurity protection and fraud protection programs, in addition to asking for written answers to the DOL’s 12 best practices. Look for third-party evaluations and follow up with them periodically.
Footnote
[1] Recent cases have involved participant accounts at Abbott Laboratories (Split Decisions in 401(k) Theft Suit for Plan Sponsor, RK), Estee Lauder (Recordkeeper, Plan Sponsor Charged in 401(k) Account Theft), MandMarblestone Group (Court Backs TPA Counterclaim on Plan Sponsor in 401(k) Cyber Theft Case) and Boeing (Man Charged with Retirement Account Thefts).
- Log in to post comments