October is cybersecurity month, “something that pairs nicely with Oktoberfest,” American Retirement Association CEO Brian Graff joked during a panel called “Fulfilling Cybersecurity Oversight Requirements” at the ERISA 403(b) Conference in Washington, D.C. on Oct. 2.
It was a moment of levity in an otherwise serious discussion about preventing cybersecurity breaches and the response when they happen.
Moderator Earle Allen, Principal with CAPTRUST, asked former EBSA Assistant Secretary Preston Rutledge for an idea of what to expect from a Department of Labor (DOL) cybersecurity audit and how far plan sponsors and advisors should go in preventative measures.
Rutledge referred to the DOL’s cybersecurity best practice guidance released in April 2021 that came in three forms:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
“The DOL says they’re here to protect participants, and they do it by holding plan sponsors feet to the fire,” Rutledge said. “They always insist on an independent, annual outside audit. They love the penetration (pen) test to evaluate external and internal threats.”
He added that the focus is on protecting against an attack but also the response once an attack happens.
“Investigators know you can’t prevent all attacks but want to see the effort put in,” Graff argued. “The 401(k) account for many Americans is their first investment. The DOL is deeply concerned that a massive attack, especially at the record-keeper level affecting millions of workers, will cause them to lose faith in the retirement system. That is the policy rationale.”
They realize this is a work in progress, but procedures must be in place and some sort of annual review undertaken. Graff emphasized that if there is an attack and preventative steps were not taken, the DOL says there will be consequences.
Cybersecurity liability insurance is essential, Graff concluded, and the DOL expects it to be in place, but plan sponsors must ensure it covers what they think. It should, therefore, be reviewed by an expert.
- Log in to post comments