Employee Benefits Security Administrations Cybersecurity Guidance Part 2: Cybersecurity Best Practices

Date April 11, 2022
Article Authors
HBK CPAs & Consultants

Part two of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants is provided under three forms:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online

Cybersecurity program best practices

In part one of our series on the Department of Labor’s Employee Benefits Security Administration’s (EBSA’s) recently issued cybersecurity guidance, we focused on the “tips for hiring a service provider” and advocated for the implementation of a third-party risk management program to facilitate those efforts. Those tips encompass one aspect of a third-party risk management program. While adopting a complete third-party risk management program was not specifically addressed in the DOL guidance, the need becomes evident after exploring the EBSA’s second “form” of guidance, “cybersecurity program best practices,” which were designed to help plan fiduciaries and record-keepers meet their responsibilities to manage cybersecurity risks.

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration has prepared the following best practices for use by record keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries looking to make prudent decisions on the service provider they are considering for hire. According to the DOL guidance, plans’ service providers should:

  1. Have a formal, well-documented cybersecurity program.

  2. Conduct prudent annual risk assessments.

  3. Have a reliable annual third-party audit of security controls.

  4. Clearly define and assign information security roles and responsibilities.

  5. Have strong access control procedures.

  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

  7. Conduct periodic cybersecurity awareness training.

  8. Implement and manage a secure system development life cycle (SDLC) program.

  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

  10. Encrypt sensitive data, stored and in transit.

  11. Implement strong technical controls in accordance with best security practices.

  12. Appropriately respond to any past cybersecurity incidents.

The specific details of each of the 12 Best Practices can be found here.

While the details on nos. 2 through 12 offer more specifics, we recommend you focus on the first best practice, that is, establishing a formal, well-documented cybersecurity program, as a formal, well-documented cybersecurity program will include nos. 2 through 12. The only additional step will be actually implementing your formalized program.

Bringing the entirety of the EBSA guidance full circle, we recommend the following steps:

  • Develop a cyber program: Leveraging established standards can assist you in developing your program. We recommend exploring ISO 27001 or the NIST Cybersecurity Framework. Each has its own advantages, and, if nothing else, offers guidance for establishing a program.
  • Implement the program: Establishing the policies and procedures required for developing a cyber program is one project. Implementing the policies and procedures is another. This may take some time depending on your current security maturity.
  • Test the effectiveness of your program: Undergo a third-party audit as mentioned in item no. 3 of EBSA’s best practices. Audit–both internal and external—is a key component of an effective, enduring cybersecurity program.
  • Communicate the program to stakeholders: As pointed out in the first “form” of guidance issued by EBSA, your stakeholders will want to know the details of your security initiatives, including the controls you have in place and their effectiveness.

Often, the last two steps can be achieved in one engagement. SOC reporting offers assurance through an audit in which a CPA opines the effectiveness of controls. This reporting mechanism communicates the design and effectiveness of your security program. We strongly recommend that you use a reputable audit firm with security and SOC experience.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Click here to read part one.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Missing Participants: What Plan Sponsors Need to Know About the DOL’s Latest Guidance

Date May 6, 2021

When workers change jobs and relocate, plan sponsors face several challenges, including locating former employees who have left funds in a qualified retirement plan and failed to keep their contact information current. The scope of the missing participants problem is enormous: A 2018 survey found that one out of every five job changes results in a missing participant.1 Now that the COVID-19 pandemic has resulted in economic and physical dislocation of millions of employees, the issue has taken on even greater urgency: Some 5% of U.S. adults relocated due to the financial pressures of the pandemic, according to a poll by the Pew Research Center.2

In early 2021, the Department of Labor (DOL) issued a three-part package of sub-regulatory guidance related to missing participants that addresses the fiduciary responsibilities of plan sponsors related to these plan participants and beneficiaries.

DOL’s Recommended Best Practices for Missing Participants

The DOL’s “Missing Participants — Best Practices for Pension Plans” describes a range of steps that retirement plan fiduciaries should consider to locate missing or nonresponsive participants. Plan fiduciaries should determine which practices will be most effective for the plan’s specific population.

Some examples of the DOL’s recommended best practices include:

  • Maintain accurate information by periodically contacting participants and their beneficiaries to confirm or update their information (i.e. home and business addresses, phone numbers, social media handles, and next of kin/emergency contact information)
  • Implement effective communication strategies, including using plain language in all communications and building steps into plan onboarding, enrollment, and exit processes to confirm or update contact information
  • Search for missing participants by performing the following:
    • Checking related plan and employer records for contact information
    • Attempt to contact them via email addresses, phone numbers, and social media
    • Use free online search engines, public record databases (such as those for licenses, mortgages and real estate taxes), obituaries, social media engines, certified mail, and/or a commercial locator services to locate individuals
  • Document all procedures, communications, and actions taken to implement policies. For plans using third-party recordkeepers to maintain plan records and handle participant communications, ensure that the recordkeeper is performing agreed-upon services and work with them to identify and correct shortcomings in the plan’s recordkeeping and communication practices.

Outlining EBSA’s Investigative Approach

The Compliance Assistance Release 2021-01 outlines the general investigative approach that will guide the Employee Benefits Security Administration (EBSA) under the Terminated Vested Participants Project audits. It is also intended to facilitate voluntary compliance efforts on the part of plan fiduciaries. In opening an investigation, EBSA seeks to determine the scope of any potential problems a plan may have with recordkeeping or administration of benefits for terminated vested participants and beneficiaries.

Potential red flags that an EBSA investigator would look for are the following:

  • Systemic errors in plan recordkeeping and administration, which may include missing and incomplete data, such as names, dates of birth, and social security numbers
  • Inadequate procedures to identify and locate missing participants and beneficiaries
  • Inadequate procedures to contact terminated vested participants (TVPs) nearing normal retirement age to inform them of their right to commence payment of their benefits
  • Inadequate procedures for contacting TVPs and the beneficiaries of deceased TVPs who are not in pay status at or near the date that they must begin taking required minimum distributions (RMDs)
  • Inadequate procedures for addressing uncashed distribution checks

Making Use of the PBGC Missing Participant Program

Additionally, the Field Assistance Bulletin (FAB) 2021-01 announced a temporary enforcement policy applicable to terminating defined contribution plans. The DOL will not pursue Plan fiduciaries of such plans that use the PBGC Missing Participants Program as long as they satisfy certain conditions to qualify for the safe harbor by conducting a “diligent search.” Following the transfer of the assets, the PBGC will include participants’ information in a searchable database and take certain steps to locate the participants.

The guidance describes which participant accounts may be transferred to the PBGC and the rules for participant notices. The PBGC cites multiple benefits of the program, including:

  • Benefits of any size can be transferred to the PBGC
  • Periodic active searches by the PBGC increase the likelihood of connecting missing participants with their benefits
  • Benefits aren’t diminished by ongoing maintenance fees or distribution charges
  • Transferred amounts grow with interest
  • Lifetime income options are available for balance transfers over $5,000

Meeting your fiduciary obligations with respect to missing participants

While the DOL’s latest guidance on missing participants doesn’t have the force and effect of the law, plan sponsors should carefully review this guidance and adjust their processes and procedures as necessary ahead of any potential missing participant investigations. Your representative is available to review your plan, address any red flags, and implement best practices in managing the challenges caused by missing participants.

1-The mobile workforce’s growing missing participant problem. https://info.rch1.com/hubfs/Presentation_Decks/MWF_Missing_PPT_Survey.pdf 2- https://www.pewresearch.org/fact-tank/2021/02/04/as-the-pandemic-persisted-financial-pressures-became-a-bigger-factor-in-why-americans-decided-to-move/

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Sign up for email alerts

Enter your contact information to stay up-to-date with the latest news and insights from HBK.

© 2024 Hill, Barth & King LLC