DWC - The 401(k) Experts
Qualified Plan Consultants, LLC (QPC)
Ohio Pension Services
Cetera Retirement Plan Specialists
DeMars Pension Consulting Services, Inc.
Farmer & Betts, Inc.
Premier Plan Consultants
The Catholic Diocese of Arlington
“BenefitsLink continues to be the most valuable resource we have at the firm.”
-- An attorney subscriber
|DOL Ramps Up Retirement Plan Cybersecurity Investigations |
Hall Benefits Law
Aug. 30, 2021
"Reports continue to come in concerning an increasing number of DOL requests made to plan sponsors asking for all cybersecurity and information security program policies, procedures and guidelines that relate to retirement plans, whether applied by the plan sponsor or by a provider, as well as detailed documentation of specific actions taken by the plan's fiduciaries and providers, including many that the DOL addressed in its guidance."
|Developing a Prudent Process for Cybersecurity |
Groom Law Group, via PLANSPONSOR; free registration may be required
Aug. 27, 2021
"As the DOL pivots to new areas of enforcement -- such as cybersecurity -- it will be important for plan fiduciaries to consider taking similar steps to help protect participant account balances, plan information technology systems and related information. While nobody could have anticipated in 1974 (when [ERISA] was enacted) that plan fiduciaries would be responsible for cybersecurity, here we are in 2021 with a department that seems to expect human resources (HR) professionals to moonlight as expert hackers."
|Best Practices for ERISA Fiduciary Responsibilities and Cybersecurity for Retirement Plans (PDF) |
Mintz, via Thomson Reuters Practical Law
Aug. 25, 2021
12 pages. "[P]rudent selection and monitoring of plan service providers that may handle PII requires critical due diligence of the third-party service provider's systems, data storage, and encryption security.... When employees work from home, companies may face additional risk from employees who take shortcuts to ease working on personal devices or outside of the organization's regular environment.... The main components of a business resiliency program are a business continuity plan, disaster recovery plan, and incident response plan."
|How DOL's Cybersecurity Guidance Impacts Retirement and Health and Welfare Plans |
Quarles & Brady LLP
Aug. 20, 2021
"[T]he DOL did not provide a delayed effective date but considers this guidance enforceable now.... Note that the DOL cybersecurity guidance is very high-level and does not include a lot of detail. That can make it difficult to determine what, exactly, a plan sponsor and a vendor must do."
|Cyber Insurance for 401(k) Plans Rises in Cost and Demand |
Fred Barstein, via RPA Convergence
Aug. 19, 2021
"[C]overage is now harder to get, and it costs more, largely due to the higher volume of attacks that resulted in higher loss ratios for insurers.... [U]nderwriting is [now] done on an individual basis -- and applicants need to show that they have good cybersecurity practices. That includes having multifactor authentication, data backups in a secondary location that are updated regularly and having the ability to put all critical systems back online within 10 days of an attack[.]"
|Cybersecurity and Related Legal Risks Come Home to ERISA Plans (PDF) |
Stradley Ronon, via Society of Financial Service Professionals
Aug. 10, 2021
"Plan sponsors will seek more transparency, whereas service providers may be reluctant to divulge too much on their cybersecurity defenses to guard against inadvertently offering up the keys to the castle. The balance of the two will become market practice. The DOL is ramping up enforcement in this area. Plan sponsors should also gird for class-action lawsuits with allegations of breaches of ERISA's duty of prudence when participant PII or plan asset data is mis-used."
|DOL Cyber Scrutiny Higher for 'Those Running the Systems' |
American Retirement Association [ARA]
July 30, 2021
"[According to Tim Hauser, Deputy Assistant Secretary for National Office Operations at EBSA, the] most detailed proscriptive best practices in the recent DOL guidance were aimed at recordkeepers and 'those running the systems' -- and the DOL has higher expectations on cybersecurity practices among those organizations. Costs/risk exposure are a relevant consideration -- the [DOL] would expect quite a bit more of those who have more data, and more exposure."
|Cybersecurity Best Practices for Employer-Sponsored Benefits |
July 29, 2021
"Begin with a solid working knowledge of the current cybersecurity threat landscape.... Develop and document a formal cybersecurity program.... How does your service provider selection process investigate an entity's ability to adequately protect data it will create, receive, transmit, or maintain on behalf of your employee benefits program? ... What level of oversight do your service provider agreements allow so that you can ensure the providers' security policy and procedure compliance? ... Train (and retrain) your employees at least annually."
| DOL Provides Cybersecurity Guidance |
Georgetown University Center for Retirement Initiatives
July 28, 2021
"While it is understandable that plan sponsors, prompted by advisers and attorneys, would want their service providers to provide more and better information, the absence of a basic understanding of cybersecurity could result in requests that could inadvertently create greater risks. Service providers recognize the right of plan sponsors to confirm that their participants' data are protected, but have legitimate concerns that some of the information requested, if it becomes more widely available, could help cybercriminals breach systems, thus undermining that very security."
|Cybersecurity: Another Responsibility for Retirement Plan Sponsors and Fiduciaries |
July 27, 2021
"Besides the specter of a DOL enforcement action, this guidance should remind plan sponsors that if a cybersecurity breach ever impacts their plan, they need to be prepared. Class action lawsuits that argue that they chose the wrong service provider or that PII was misused or not protected are possible. Service Providers like recordkeepers, TPAs, and advisors will likely be inundated with requests to divulge the precise details of their cybersecurity and information security practices."
|DOL Plan Audits Updated to Include Several Questions About Compliance with Its Cybersecurity Guidelines |
Jackson Lewis P.C.
July 26, 2021
"The DOL would like to see how plan fiduciaries are communicating with their service providers to assess service provider cybersecurity risk, as well as the documents and other materials from service providers concerning the processing of plan data. Importantly, the DOL is not just looking for cybersecurity related information. The agency apparently wants to know how service providers are permitted to use plan data."
| Cybersecurity Guidance Welcome, But Unanswered Questions Remain |
The Wagner Law Group
July 26, 2021
"What personal information and/or confidential information must be safeguarded by plan administrators and other plan fiduciaries to comply with ERISA's fiduciary standards? ... For purposes of misappropriation of PPI, is PPI a plan asset under ordinary notions of property rights? Does the resolution of this question affect the application of ERISA Section 404 to protect PPI? ... What losses due to cybersecurity breaches in plans' or the plan service providers' systems are covered by a bond under ERISA Section 412 and implementing regulations?"
|Industry Best Practice: Fraud Controls (PDF) |
The SPARK Institute
July 22, 2021
"Plan Sponsors are responsible for the overall security of [retirement plan] accounts. Recordkeepers must implement controls that reasonably protect, detect, and respond to fraudulent activity. Participants must act to use secure login credentials and monitor their accounts.... These controls should be a combination of preventative, detective, and responsive controls. [This] chart is intended to highlight a minimum set of controls that should be considered and set expectations for all parties involved."
|Enhancing Cybersecurity When Employees Work Remotely |
Godfrey & Kahn S.C.
July 16, 2021
" Ensure access to dedicated and skilled information technology resources ...  Manage the devices accessing your systems ...  Require strong passwords and implement multifactor authentication ...  Update, test and train employees ...  Monitor employee access and activity ...  Promptly terminate access ...  Develop and maintain an incident response plan ...  Implement a telecommuting/telework policy ...  Restrictive Covenant Agreements."
|DOL Intensifies Cyber Readiness Inquiries Among Retirement Plan Administrators |
Debevoise & Plimpton LLP
July 14, 2021
"The increase in DOL inquiries ... [is] surprising in light of the short amount of time that has elapsed since the DOL first published a summary of best practices in this area.... [M]any of the areas addressed by the summary involve fiduciary determinations (as opposed to non-fiduciary areas of plan design and administration), creating an added urgency to address cyber readiness for retirement plans."
|1 in 3 Employees Has Picked Up Bad Cybersecurity Habits Since Working Remotely |
July 13, 2021
"[Y]ounger employees are most likely to admit they cut cybersecurity corners, with over half (51%) of 16-24 year olds and almost half (46%) of 25-34 year olds reporting they've used security workarounds.... Over one quarter of employees admit they made cybersecurity mistakes -- some of which compromised company security -- while working from home that they say no one will ever know about."
|Implementing the 3-2-1 Backup Rule for Your Plan |
Euclid Specialty Managers
July 13, 2021
"While [multifactor authentication] is an offensive tactic that safeguards data from hackers with more complex security measures, an efficient backup plan is your first line of defense should they gain access to your data.... The rules of the 3-2-1 backup strategy are straightforward: Consistently maintain 'three' or more distinctive copies of all system data. Retain 'two' copies of your backup data on different devices and separate storage media. Store 'one' backup copy offsite."
|Cybersecurity for Plan Fiduciaries: Focus on Account Theft |
PLANSPONSOR; free registration may be required
July 6, 2021
"One case can take your participant and you down a rabbit hole that might not have a great ending.... [No] matter how vigilant your plan's recordkeeper is, plan sponsors, plan fiduciaries and plan participants can and should take steps to protect retirement accounts from cyber theft. The recent DOL guidance is designed to outline what those steps might be."
|DOL's Cybersecurity Auditors Have Arrived: Here's the Request for Policies and Documents One Employer Received |
Nixon Peabody LLP
June 24, 2021
"Knowing the information that will likely be sought during an audit can help companies and plan sponsors tailor and revise their cybersecurity compliance plans. Documented cybersecurity compliance efforts can minimize liability in the event of an audit.... [The authors] are already aware of several investigations that the DOL has commenced regarding cybersecurity practices."
|DOL Ups Its Game on Cybersecurity Program Oversight, Begins Audits |
Pillsbury Winthrop Shaw Pittman LLP
June 24, 2021
"In light of the DOL's cybersecurity audit initiative, employers and fiduciaries should act now to ...  Review internal cybersecurity programs ...  Analyze service providers' cybersecurity programs and update service contracts ...  Review participant messaging around cybersecurity awareness and the importance of monitoring retirement plan accounts."
|SEC Issues First-Ever Penalties for Deficient Cybersecurity Risk Controls |
Holland & Knight
June 23, 2021
"[T]he SEC and NYSDFS are now using their enforcement powers to ensure that companies implement robust cybersecurity risk management systems. With cyberattacks ever present and constantly evolving, it is only a matter of time that a company's cybersecurity risk management efforts and related controls ... will be exposed to regulatory scrutiny."
|DOL Issues Its First Cybersecurity Guidance for Plan Sponsors, Fiduciaries and Service Providers |
King & Spalding
June 22, 2021
"[T]he new guidance more closely aligns the data privacy and security requirements of United States retirement plans with the requirements outside the United States and with general corporate standards. The guidance is based on the central premise that '[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.' "
|CVS Health Leak Left Log of 1 Billion Searches Exposed Online |
June 17, 2021
"The database belonging to the healthcare and retail giant, which was not password protected, was discovered at the end of March by [an] independent cybersecurity researcher ... The data, collected from both CVS Health and CVS.com, represents website visitors logs that shows everything visitors searched for[.] ... 'We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personally identifiable information of our customers, members, or patients,' [a CVS] spokesperson said."
|COVID-19, Cybersecurity Create New Litigation Risks for Benefit Plan Fiduciaries and Service Providers |
PLANSPONSOR; free registration may be required
June 16, 2021
"As offices moved to remote work in 2020, the risk for cyberhacks heavily increased -- as did the possibility that litigation that could follow.... [E]mployers should be wary of potential COVID-19 litigation that involves financial distress from employees due to job loss, cybersecurity management and data privacy, business interruptions or continuities, and relations within the workforce."
|Individuals and Employers Aren't Following Password Best Practices |
PLANSPONSOR; free registration may be required
June 16, 2021
"A survey in which 2,500 Americans were asked about their password behaviors and tendencies found a fifth of employers don't regularly require their employees to change their work program passwords.... [N]early one-quarter of respondents use the same passwords for their home and personal accounts.... [M]ore than half of respondents have admitted to checking their personal emails on work devices, increasing the likelihood of a malicious infection infiltrating a company's networks."
<< Older News | September 20, 2021