The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers.

Tim Hauser, Deputy Assistant Secretary for DOL’s Employee Benefit Security Administration (EBSA) has indicated that we should expect more focus in the department’s investigations of the adequacy of various cybersecurity programs to confirm that service providers plan sponsors hire are practicing effective cybersecurity practices.

Mr. Hauser also indicated that the forthcoming guidance would be informal, and not a formal notice and comment.

Plan Sponsor Considerations

The DOL expects there to be questions asked when hiring a TPA or record-keeper.

• What practices and policies do the service provider have to ensure their systems are secure?
• Does the service provider have regular third-party audits by an independent entity?
• How does the third party validate their systems cybersecurity?
• Is there any history of cybersecurity incidents?  If so, what is their track record?
• What did they learn from any prior incidents, and how have they improved their defensive processes?
• Do they indemnify their clients in event of security systems breaches that result in losses?
• Do they have insurance policies to make you whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?

Do they have insurance policies to make you whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?

In the event a security breach is identified and an offender has achieved access to confidential information, the plan sponsor should produce a documented response, including notifying law enforcement, the FBI, the plan and their participants.

Once an official final guidance package is made available, we will share that information with you.

This material was created to provide accurate and reliable information on the subjects covered but should not be regarded as a complete analysis of these subjects. It is not intended to provide specific legal, tax or other professional advice. The services of an appropriate professional should be sought regarding your individual situation. 

We cannot accept trade orders through email. Important letters, email, or fax messages should be confirmed by calling 813-760-1769.  This email service may not be monitored every day, or after normal business hours. To add a colleague or be removed from this list, please email us at PlanInsight@advizrs.com or call 877-752-3849. Registered Representative Securities offered through Cambridge Investment Research, Inc., a Broker/Dealer, member FINRA/SIPC. Investment Advisor Representative, Cambridge Investment Research Advisors, Inc., a Registered Investment Advisor, Cambridge, Advizrs and RPAG are not affiliated.