Cybersecurity: it’s another area businesses are spending more and more on. And yep, Department of Labor regulations mean you can get audited on it.

It’s no surprise the government wants to take cybersecurity more seriously. The average data breach costs more than $4 million, and the figure is only rising. Indirect costs alone—like loss of reputation—can tank your business.

In April of 2021, the DOL issued new Cybersecurity Program Best Practices for plan sponsors, plan fiduciaries, record-keepers, and plan participants. With 12 key requirements, they represent a major overhaul of your responsibilities.

Understanding the new cybersecurity guidelines

If you are already making cybersecurity investments, some areas of the DOL guidance might be accounted for in your current strategy.

For example, item #1 calls for a “formal, well-documented cybersecurity program.” #2 requires you to “conduct prudent annual risk assessments,” something your top security stakeholder should be doing.

New complications come in with point #3: “Have a reliable annual third party audit of security controls.” DOL has already stepped up its audit activity, and having a third-party audit report to present may help you avoid selection.

Preparing for a 401(k) cybersecurity audit

Going forward, retirement plan audits will also examine compliance with cybersecurity guidelines.

When working under an audit, plan sponsors must be prepared to produce “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan.”

That includes items such as policies, procedures, and guidelines around:

  • Access controls, identity management, and multi-factor authentication
  • Business continuity, disaster recovery, and incident response
  • Management of vendors and third-party service providers
  • Cybersecurity awareness training
  • Implementation of encryption to protect sensitive data
  • Documents and communication related to past cybersecurity incidents

To start reviewing your compliance, see the Employee Benefits Security Administration’s Cybersecurity Program Best Practices.

For more information on keeping your 401(k) plan in compliance with all the latest regulations, contact Cassell Plan Audits.