ARTICLE
10 June 2021

Cybersecurity Guidance Issued To Retirement Plan Sponsors

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The Department of Labor recently issued cybersecurity guidance to retirement plans. The department's Employee Benefits Security Administration (EBSA) issued guidance in three areas...
United States Technology
Liisa M. Thomas,Moorari K. Shah, and Kieran De Terra
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with Inhouse Counsel
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • in North America

The Department of Labor recently issued cybersecurity guidance to retirement plans. The department's Employee Benefits Security Administration (EBSA) issued guidance in three areas: (1) hiring and working with vendors and service providers; (2) implementing an internal cybersecurity program for the plan; and (3) online security for plan participants and end-users.

Recommendations made to plan sponsors and administrators include:

  • Asking vendors what security practices they use and how those measures are validated;
  • Determining the type and scope of vendors' cyber insurance;
  • Putting a formal cybersecurity program in place and conduct annual risk assessments;
  • Using security measures like encryption, and conducting periodic training;
  • Giving users information about common risks, like free WiFi or improper password hygiene.

These guidelines provide clarity on how EBSA will interpret regulations on electronic recordkeeping, (which require plan administrators to put in place reasonable controls and adequate records management) and those that relate to plans' fiduciary responsibilities. While these cybersecurity recommendations were the first from EBSA, they will be familiar to those acquainted with other frameworks like the NIST Cybersecurity Framework and other agency guidance about managing vendors. This includes the recent NYDFS supply chain management guidelines.

Putting it Into Practice: This first cybersecurity guidance from the EBSA signals its expectations around cybersecurity. Of note is the focus made on vetting and onboarding service providers. These cautions are particularly helpful when considering vendors who have automated protection processes and/or intimate knowledge of their clients' IT systems (knowledge that could be exploited by a bad actor). Plan sponsors and other fiduciaries with existing cybersecurity programs will want to compare their controls and vendor management programs to these three newly issued guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Moorari K. Shah
Moorari K. Shah
Photo of Kieran De Terra
Kieran De Terra
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More