July 29, 2024

Cybersecurity remains a crucial concern for retirement plan administrators and sponsors. Ensuring the security of sensitive data and maintaining compliance with regulatory requirements is essential to protect plan participants and maintain trust.

GRF hosted a 2024 Update on Retirement Plans webinar on May 16th, 2024, which outlined key cybersecurity best practices recommended by the Department of Labor (DOL) and discussed how they can be effectively implemented in your organization’s plan. Here are important cybersecurity insights from that webinar.

Understanding the Current Cybersecurity Landscape

Since the rollout of cybersecurity requirements by the DOL and the Employee Benefits Security Administration (EBSA) in 2021, there have been ongoing studies to outline the responsibilities between plan management and service providers. Currently, there is no formal guidance on specific frameworks that must be followed, but several well-recognized frameworks are commonly used, including:

These frameworks offer a strong foundation for developing a robust cybersecurity program. Organizations often use a blend of these frameworks to best suit their specific needs.

Key Cybersecurity Practices

Regardless of the framework you use, here are some general recommended guidelines to follow:

  1. Develop Formal, Well-Documented Policies and Procedures
    • Establish comprehensive policies that cover IT general controls and specific procedures related to retirement plans.
    • Clearly define roles and responsibilities for information security within your organization and among third-party service providers.
  2. Implement Access Control and Training
    • Implement strong access control procedures, including regular reviews of access rights and robust onboarding and offboarding processes.
    • Conduct regular cybersecurity awareness training for all employees and include specific training for those accessing retirement plan data.
  3. Conduct Ongoing Risk Management
    • Perform annual risk assessments to identify and address vulnerabilities in your IT environment.
    • Engage in regular third-party audits of security controls, especially those related to any data stored in the cloud or managed by external service providers.
  4. Develop Incident Response and Business Resiliency Plans
    • Develop a well-defined incident response plan that outlines steps to follow in case of a security breach or data compromise.
    • Maintain logs of all incidents and conduct tabletop exercises to prepare for worst-case scenarios.
  5. Stay Informed and Compliant
    • Keep up to date with industry developments and regulatory changes, such as the Institute of Internal Auditors (IIA) Cybersecurity Topical Requirements.
    • Regularly review SOC reports from third-party administrators to identify any control deficiencies or vulnerabilities.

Visit the DOL’s website to see all Cyber Security Best Practices.

Resources and Tools

Utilize the following resources to enhance your cybersecurity practices:

Reporting and Governance

Maintain accurate records and communicate your cybersecurity activities to the board of directors. Update them on any cybersecurity incidents, policy updates, and risk assessments frequently, using clear language. Dashboards and visual tools can assist the board in comprehending the issues and making wise decisions.

GRF Can Assist

Cybersecurity is a dynamic and critical aspect of managing retirement plans.

Implementing a robust cybersecurity framework tailored to your organization’s needs will ensure compliance and foster trust and security among plan participants. Our team can help you stay informed and up to date with all current requirements with an audit of your employee benefit plans. Contact us to find the right solutions for you.

Mac Lillard, CPA, CIA, CFE, CISA, CRISC, CITP

Senior Manager, Risk & Advisory Services