The Advisors' Blog

– Lynn Jokela

Periodically, Liz and I have blogged on TheCorporateCounsel.net about cybersecurity risk and it seems unusual to blog about cybersecurity risk here on CompensationStandards.com.  Recently though, the DOL issued cybersecurity guidance directed at ERISA plan sponsors and fiduciaries.  The DOL’s guidance provides tips for hiring service providers and outlines service provider cybersecurity best practices. Tips listed by the DOL include considerations relating to a service provider’s security standards, audits and validation of cybersecurity practices and policies, contract provisions giving you the right to review audit results, service provider track record and service provider insurance coverage. 

A Sidley memo says this development could indicate that plan sponsors and fiduciaries may soon be subject to focused scrutiny over their cybersecurity practices in DOL investigations.  Given the potential cyber risk involved with employee benefit plans, in addition to considering DOL’s guidance for hiring a benefit plan service provider, many who work with benefit plans and their service providers may want to consider the DOL guidance and revisit existing benefit plan service provider contracts to update provisions as necessary. Sidley’s memo lists these considerations for plan sponsors and fiduciaries:

– Select and monitor service providers with an eye toward cybersecurity

– Conduct periodic reviews of the cybersecurity programs of recordkeepers and other service providers – ask your benefit plan service providers to demonstrate the manner in which their cybersecurity program reflects Best Practices

– Review the terms of agreements with service providers to ensure they require ongoing compliance with cybersecurity and information security standards – compare against provisions identified in the DOL guidance for hiring a service provider

– Educate participants and beneficiaries who manage their retirement accounts online about online security