www.withum.com
Open in
urlscan Pro
141.193.213.20
Public Scan
Submitted URL: https://visit.withum.com/NDg5LU5XVC0xNDYAAAGRixb8XGA5HpUnlQdZ5DtGghqte0ogg-K6HozFZU8rVJaxA4L-ZFH_78o7-bmQs-3HphMoqKw=
Effective URL: https://www.withum.com/resources/cybersecurity-guidance-for-employee-benefit-plans-released-by-the-dol/?utm_source=mark...
Submission: On February 28 via manual from IN — Scanned from DE
Effective URL: https://www.withum.com/resources/cybersecurity-guidance-for-employee-benefit-plans-released-by-the-dol/?utm_source=mark...
Submission: On February 28 via manual from IN — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://www.withum.com/
<form role="search" method="get" class="search-form" action="https://www.withum.com/">
<div class="input-group">
<input type="text" autofocus="" class="search-input form-control" name="s" value="" placeholder="Search for..." aria-label="Search for...">
<div class="input-group-append">
<button type="submit" class="search-submit btn btn-primary">GO</button>
</div>
</div>
</form>Text Content
* Careers
* Locations
* Client Hub
* Submit RFP
* Contact Us
Toggle search form visibility Search
Toggle top navigation
Withum Logo - return to the home page Toggle navigation
* Advisory
* * Business Advisory
* Forensic and Valuation Services
Business Advisory
Accounting Advisory and Financial Reporting
Business Management and Consulting
COVID-19 Financial Assistance
Dealership Advisory
Healthcare Advisory
Insurance Advisory
Law Firm Advisory
Outsourced Accounting Systems and Services (OASyS)
Self-Insured Health Plan Advisory
Sustainability and ESG Services
Systems and Process Assurance Services
The Partners’ Network
Transaction Advisory
All Business Advisory
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
Forensic and Valuation Services
Business Disputes and Economic Damages
Forensics, Investigations and White-Collar Criminal Defense
Insolvency, Bankruptcy and Receivership Accounting
Investigative and Corporate Intelligence Services
Matrimonial Litigation
Tax Dispute and Litigation Services
Valuation Services
All Forensic and Valuation Services
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
* Assurance + Accounting
* * Assurance
* Accounting
Assurance
Audit Services
Employee Benefit Services
Public Company SEC Compliance
All Assurance and Accounting
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
Accounting
Accounting and Other Attest Engagements
Business Enterprise Advisors
International Financial Reporting and Multinational Organizations
Peer Review Services
Revenue Recognition: ASC 606
Outsourced Accounting Systems and Services (OASyS)
All Assurance and Accounting
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
* Digital Solutions + Cybersecurity
* * Digital Solutions
* Cybersecurity
Digital Solutions
Artificial Intelligence
CRM and ERP Consulting Services
Data Analytics
Employee Experience with Microsoft Viva
Innovative Digital Solutions
Process Automation Solutions
Technologies and Capabilities
All Digital Solutions
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
Cybersecurity
Cybersecurity Frameworks
Data Privacy and Compliance
Forensics and Electronic Discovery
IT Managed Services
Incident Response
Security Solutions
All Cybersecurity
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
The Team
INSIGHTS
View Insights
* Tax
* * Business
* Individual
Business
Business Tax
Cost Segregation
Global Transfer Pricing
International Services
State & Local Tax
Tax Controversy
Tax Credits
All Tax
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
Our People
INSIGHTS
View Insights
Individual
Individual Tax
Private Client Services
Withum Wealth
All Tax
MEET THE TEAM
Our team members work to cultivate a unique corporate culture rooted in
inclusion, strength, and togetherness.
Our People
INSIGHTS
View Insights
* Industries
* INDUSTRIES
Cannabis Sector
Construction
Consumer Products
Dealership Services
Financial Services & Investment
Government Contractors
Healthcare
Hospitality
Labor Unions
Life Sciences
Manufacturing, Distribution & Logistics
Multiemployer Benefit Plans
Not-For-Profit and Education
Private Equity Services
Professional Services
Real Estate
Technology and Emerging Growth
Theatre and Entertainment
* Insights + Education
* INSIGHTS + EDUCATION
Articles and Blogs
Case Studies
Guides
Events
On-Demand Webinars
Podcasts
FEATURED
Coronavirus (COVID-19)
Financial Services Resources
Law Firm Tax Hub
National Tax Policy
Opportunity Zones
Year-End Tax Planning
ARTIFICIAL INTELLIGENCE RESOURCES
The future of business is intertwined with Artificial Intelligence (AI),
and those who adapt quickly will lead the way. Embrace the future with AI
for business services and stay in the know with our insights on
ever-changing technologies.
Learn More
* About
* Culture
* Firm News
* Inclusion and Diversity
* Our Brand and Core Values
* Our People
* The Withum Way
* Careers
* Contact Us
* Locations
Home › Insights › Articles › Cybersecurity Guidance for Employee Benefit Plans
Released by the DOL
CYBERSECURITY GUIDANCE FOR EMPLOYEE BENEFIT PLANS RELEASED BY THE DOL
08/31/22 Employee Benefit Plan Services, Multiemployer Benefit Plans, Cyber and
Information Security Services
* Donna Nevolo Partner
* Edward Keck, Jr. Partner
Subscribe to Our Insights
Subscribe
Share this blog post
* Share on LinkedIn
* Share on Facebook
* Share on Twitter
In April 2021, the Department of Labor (DOL) announced official guidance
relating to cybersecurity best practices, including maintaining security
frameworks, reducing cyber risks, and ensuring retirement benefits are
protected.
The guidance is targeted for plan sponsors, fiduciaries, and record keepers of
all sizes and regulated by ERISA, as well as plan participants and
beneficiaries. The release of the guidance is the first time that directions
relating to cybersecurity has been outlined and issued by the DOL’s Employee
Benefits Security Administration (EBSA).
Cybersecurity-related problems impact organizations of all shapes and sizes and
can be a point of concern for both plan sponsors and plan participants.
According to the EBSA, “there were more than 34 million defined benefit (DB)
plan participants in private pension plans and 106 million defined contribution
plan participants covering estimated assets of $9.3 trillion” as of 2018.
Without adequate protection and preparation, the EBSA notes that these
participants and assets will continue to be at risk for internal and external
cybersecurity threats. Plan sponsors and fiduciaries need to take appropriate
action to ensure that impacts are effectively mitigated.
The DOL guidance comes in three parts: “Tips for Hiring a Service Provider,”
“Cybersecurity Program Best Practices” and “Online Security Tips.”
3-PART DOL GUIDANCE
1. TIPS FOR HIRING A SERVICE PROVIDER WITH STRONG CYBERSECURITY PRACTICES
Selecting a qualified and experienced service provider is a critical step in a
successfully establishing a secured environment. Directed towards plan sponsors,
the guidance focuses on best practices for hiring service providers. It is worth
noting that the EBSA outlines the responsibility to “prudently select and
monitor” service providers with strong cybersecurity practices to fall upon the
employers and fiduciaries. All potential service providers should be evaluated
and closely monitored.
Law firms for the plans will be instrumental in helping to draft contract
language that allows the plans to audit the service providers and requires the
minimum cybersecurity standards to be in place. Law firms can also offer
guidance on situations where service providers do not wish to disclose this
information, as the DOL does not directly address this. Several questions to ask
a potential service provider include:
* What information security standards, practices, and policies are in place,
and how does it compare to industry standards?
* What is the service provider’s track record with previous incidents, security
breaches, or legal proceedings?
* Does the service provider have insurance policies in place that would cover
any losses caused by threats or breaches?
* Is your contract with the service provider in compliance with cybersecurity
and information security standards?
2. CYBERSECURITY PROGRAM BEST PRACTICES
The second part of the DOL guidance is the part that has received the most
attention: “Cybersecurity Program Best Practices.” Those in the cybersecurity
industry will see this guidance as industry best practices. It is important to
note that this guidance is a fiduciary responsibility of the plan to protect the
participants’ data. The DOL provided a “road map” for each of the twelve areas
of the Cybersecurity Best Practices, and it is essential to understand and
review the details of the twelve addressed areas. Even this guidance has caused
questions about the proper implementation of plans that fully outsource their
administration, and this responsibility lies solely with the service provider.
This is an incorrect interpretation of the guidance, and plans should expect to
have a written information security program in place that will most likely
reference their service provider(s).
The guidance for record keepers and service providers outlines the basic rules
to implement and ensure that the risk of fraud and loss to retirement accounts
is mitigated. A snapshot of several high-level best practices include:
* Ensure the organization has a robust, well-documented cybersecurity program
with strong security policies, guidelines, and standards that meet the
provided criteria.
* Conduct annual risk assessments to identify potentially concealed threats.
* Third-party audits of the organization’s security controls (known as System
and Organization Controls or SOC) can provide valuable information to assess
risks associated with both operational and financial access to systems and
data.
* Distinctly identify the senior executive and management personnel in charge
of the cybersecurity program, outlining their roles and responsibilities and
ensure that they meet the qualifications needed to protect the organization
successfully.
* Enable access control methods such as authentication and authorization to
ensure that only appropriate personnel have access to secured IT systems and
data.
3. ONLINE SECURITY TIPS
The final part of the guidance is related to participant education. Suppose
participants have access to their plan information online. In that case, the
plan should provide “Online Security Tips” in an easily accessible location on
the plan’s website for all participants to review.
Plan participants and beneficiaries can reduce cyber threats and other risks to
retirement accounts through consistent monitoring. Among the tips provided
include:
* Adopt a firm password policy, utilizing a combination of 14 or more upper and
lower case letters, numbers, and special characters. The passphrase should be
unique and not used in conjunction with other accounts.
* Use multi-factor authentication, requiring computer users to provide multiple
pieces of information to login to a system, program, or website.
* Avoid using public Wi-Fi- networks.
* Be vigilant for phishing attacks.
* Review and update anti-virus and firewall configurations and ensure your
operating system is current.
Many fiduciaries want to know how best to develop policies, procedures, and
internal controls to manage and protect plan data. Cybersecurity involves
measuring relevant standards against established frameworks and adopting
reasonable protections. Frameworks include (but are not limited to) The Center
for Internet Security Critical Security Controls (CIS), The International
Standards Organization (ISO), and The U.S. National Institute of Standards and
Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
(NIST CSF).
Challenges have arisen in the last year related to the DOL not identifying a
specific framework to establish cybersecurity alignment. Leadership teams must
gather existing documentation, review current controls, and attempt to determine
“where they are” and “where they need to be.”
Working with a trusted cybersecurity advisor who understands the DOL guidance
and, more importantly, what is needed to satisfy the requirements is vital. The
review process requires knowledge that comes only from security experience in
the industry. Plan fiduciaries attempting to compile documentation and institute
change based on traditional practices often repeat the process, with a DOL
experienced advisor the second time.
The best practices and tip sheets outlined by EBSA should be considered by all
organizations regardless of the size of the plan assets and participants.
Organizations that already have a well-established cybersecurity strategy within
their organization should continue to be prudent and monitor risks. Plan
sponsors should continuously monitor the effectiveness of the cyber security
controls of their service providers. Regulatory obligations related to
cybersecurity will continue to evolve. A sound data-protection program aligned
to business objectives has become critical for any organization that is the
custodian/steward of information.
CONTACT US
For more information on this topic, please contact a member of Withum’s Employee
Benefit Plan Services Team.
Let's Chat
Employee Benefit Plan Services
READ MORE
KEY TAKEAWAYS FROM THE LATEST DOL EBP AUDIT QUALITY REPORT
In November 2023, the US Department of Labor (DOL) released its Audit Quality
Study, which found that a “significant number of employee benefit plan audits
were deficient.” The study also […]
Read Now
EMPLOYEE BENEFIT PLAN SERVICES
When Consistent Quality and Convenience Matters The role of a plan administrator
comes with great responsibility as the complexity of employee benefit plans
requires businesses to follow extensive accounting and […]
Learn More
MULTIEMPLOYER BENEFIT PLANS
Withum is among the few firms in the nation that specializes in multiemployer
benefit plan audit and advisory services. Our experience includes multiemployer
benefit plans of all sizes, including: Hot […]
Learn More
CYBER AND INFORMATION SECURITY SERVICES
Cybersecurity: Businesses Need the Right Protection Our Cyber threats continue
to grow at an exponential rate. Additionally, the constantly changing technical
landscape, including the introduction of disruptive technologies such as […]
Learn More
* Locations
* Submit RFP
* Client Hub
* Withum W9
* Insights + Education
* About Us
* Careers
* Online Payment
* Get Started with Tax Caddy
*
*
*
*
*
Get news and event information from Withum
Subscribe
Want to know more? Let’s talk!
Contact Us
* Availability of AAP|
* Cookie Policy|
* EEO is the Law|
* Machine-Readable Files|
* Pay Transparency Nondiscrimination|
* Privacy Policy|
* Privacy Notice for California Residents|
* Terms of Use|
* Web Accessibility Statement|
Copyright © 2023 Withum Smith+Brown, PC. All rights reserved.
*
* We are an independent member of HLB —
The Global Advisory and Accounting Network
SEARCH WITHUM.COM
GO
We use cookies to improve your experience and optimize user-friendliness. Read
our cookie policy for more information on the cookies we use and how to delete
or block them. To continue browsing our site, please click accept.AcceptPrivacy
policy