Current Thinking

DOL’s Cybersecurity Guidance Arrives Just in Time

The April 14 release of cybersecurity guidance for retirement plan sponsors and fiduciaries by the U.S. Department of Labor (DOL) is both momentous, and long overdue.

That this is the first time that the DOL’s Employee Benefits Security Administration (EBSA) has issued such guidance speaks to just what an issue cybersecurity has become. Information security research firm Cybersecurity Ventures estimates that by 2025, cyberattacks will cost businesses worldwide $10.5 trillion annually.

In the meantime, EBSA estimates that, as of 2018, there were 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.

Given that plan sponsors and their vendors typically are responsible for significant amounts of money – not to mention personal data of plan participants, including not just Social Security numbers and dates of birth but also banking details — it is no surprise that cyberattacks are on the rise in our industry.

It should also hardly come as news that many plan sponsors and fiduciaries have for some time regularly been targets of any number of attacks, from viruses and adware to phishing, malware, ransomware and more.

So the DOL is to be applauded for addressing this issue at last. “Without sufficient protections, these participants and assets may be at risk from both internal and external cybersecurity threats,” the DOL wrote. “ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.”

The DOL’s guidance comes in three forms:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.

Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.

Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

“The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information,” said Acting Assistant Secretary for Employee Benefits Security Ali Khawar. “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

As with most things, experience matters – as does training. At Pentegra, we provide continuous and regular cybersecurity training for our staff so that they know when something is obviously wrong, or at least seems suspect. We utilize a detailed checklist that we regularly consult to make sure we are implementing cybersecurity best practices throughout our organization.

In sum, we are pleased that the DOL has issued this guidance, as it can only be a net positive for our industry. As cybercriminals continue to develop new ways of carrying out their nefarious activities, providers, as well as plan sponsors and participants, need to stay vigilant to reduce the risk of fraud and loss through cybercrimes.

About the Author

Richard Rausser

Richard W. Rausser has more than 30 years of experience in the retirement benefits industry. He is Senior Vice President of Client Services at Pentegra, a leading provider of retirement plan and  fiduciary outsourcing to organizations nationwide. Rausser oversees consulting, BOLI and non-qualified business development and actuarial service practice groups at Pentegra. He is a frequent speaker on retirement benefit topics; a Certified Pension Consultant (CPC); a Qualified Pension Administrator (QPA); a Qualified 401(k) Administrator (QKA); and a member of the American Society of Pension Professionals and Actuaries (ASPPA). He holds an M.B.A. in Finance from Fairleigh Dickinson University and a B.A. in Economics and Business Administration from Ursinus College.