Retirement plan cybersecurity is now a top priority focus for the Securities & Exchange Commission (SEC) and the Department of Labor (DOL). Both agencies have given Retirement Plan Cybersecurity special attention during 2021. This trend is expected to continue into the coming year as cybersecurity measures and protocols are under greater scrutiny.
The SEC is reviewing whether registrants have implemented appropriate measures to protect customer accounts. The intent is multifold and includes the following actions: prevent break-ins of participant accounts; oversee vendors and service providers; vet malicious email activities; respond to breaches; and manage operational risks for remote employees.
The DOL also issued guidance on cybersecurity in retirement plans. That includes three documents of particular relevance to fiduciaries:
- Tips for Hiring a Service Provider;
- Online Security Tips; and
- Cybersecurity Program Best Practices.
The DOL guides provide best practices for plan service providers, even-though the DOL itself doesn’t regulate these vendors. This is a way for the DOL to informally regulate fiduciary advisors while still being hands-off.
The DOL and SEC best practices do overlap in the following areas:
- Maintaining strong access control procedures;
- Ensuring that any assets or data stored in a cloud – or managed by a third-party servicer provider – are subject to appropriate security reviews and independent security assessments; and
- Responding appropriately to any cybersecurity incidents.
Although their guidance is general, the agencies are serious about enforcing it, as stated within this article. They are also making good on the consequences. In August 2021, for example, the SEC sanctioned eight firms in three actions for failures in their cybersecurity policies.
Beware, cybersecurity is now a fiduciary responsibility. So it’s no wonder plan sponsors are also encountering increased scrutiny from regulators. For instance, the DOL is requesting information about retirement plans’ cybersecurity measures. It may be challenging for plan sponsors to know the perfect questions to ask when it comes to cybersecurity in their retirement plans. The same can be said for selecting or monitoring vendors for best practices. In that case, it behooves plan sponsors to lean on fiduciary advisors. Plan sponsors should help vet plan service providers and make sure they’re adhering to the latest cybersecurity best practices. It may also be beneficial to consult with outside security experts to ensure your retirement plan cybersecurity processes and participant accounts are adequately protected against cybercriminals.