March 3, 2022
EBSA Provides Data Security Tips for Plan Sponsors
Employee benefit plan sponsors serve in a critical fiduciary role over sensitive employee information. As a plan sponsor, are you aware of cybersecurity risks to your plan and how to effectively mitigate them?
The Department of Labor’s (DOL) Employee Benefit Security Administration (EBSA) is dedicated to educating plan participants, plan sponsors and service providers. The EBSA has recently focused on information technology and cybersecurity risks, raising awareness of how stakeholders can do their part to safeguard sensitive participant information.
Data Security at Service Providers
Employee benefit plans are frequently administered by third party service providers. In its fiduciary capacity over the plan, plan sponsors must evaluate service providers to ensure they are capable of keeping plan and participant data secure. Often, these service providers receive Service Organization Controls (SOC) reports annually that provide independent auditor assurance that the service provider has the internal controls in place to keep your plan’s information safe and secure.
SOC reports include a list of complementary user entity controls that must be in place at the user entity level (plan sponsor) in order for proper operation of internal controls. The plan sponsor is responsible for ensuring that the complementary user entity controls listed in the SOC report are in place at their organization.
Looking for a new EBP administrator, or payroll provider? The EBSA recommends asking these six security questions when interviewing a potential new service provider.
You may also find this list of cybersecurity best practices useful.
Participant Online Security
One of the biggest risks to plan security is plan participants themselves. Routine education for employees covering online data security can mitigate the risk of loss due to fraudulent activity. The top three things an individual can do to protect their retirement account include:
- Set up and routinely monitor your online account – Allows you to easily manage your account, including current address and beneficiary information, among other things. Regularly checking your account can reduce the risk and extent of fraudulent activity.
- Use a strong and unique password to access your account – Include a mix of upper and lower case letters, numbers and characters. Passwords should not be recognizable words or sequential letters or numbers and should not be shared or reused. Many sites allow for two-factor authentication which requires a second credential to verify your identity such as a code received via text or email.
- Use a trusted wi-fi network – Free public wi-fi can be found at hotels, airports and coffee shops, however it can pose unnecessary security risks that share your personal information with outside parties. Only log into your account on a trusted wi-fi network such as your cell phone or home network.
The EBSA recommends a suite of tips for online security as a resource for plan participants.
Similar to other organizations, employee benefit plans are susceptible to cyber attacks. It is important for plan sponsors to be vigilant both externally and internally, considering the amount of sensitive participant and beneficiary data entrusted to them and the service providers they choose.