New DOL Guidance on Blocking Retirement Plan Cyberattacks
Kirsch CPA Group
Jul 21, 2021

The U.S. Department of Labor (DOL) is becoming alarmed by the growing prevalence and sophistication of cybercrime. In response to this mounting threat, the agency recently released a cybersecurity program best practices guide for employers and companies that provide services to their retirement plans.
Benefits of Prompt Compliance
Attorneys specializing in retirement plan matters advise plan sponsors to heed the new DOL guidelines. Failure to do so could make your company vulnerable if litigation erupts following any kind of cyberbreach of its retirement plans — even if most of the plan’s administration is handled by service providers. ERISA plan fiduciaries generally must take reasonable steps to protect plan assets from cyberattacks.
Even without a legal dark cloud hovering above, employers don’t want to see their employees’ retirement savings wiped out in a breach. Moreover, management could transfer the knowledge gained from implementing the DOL’s recommended cybersecurity protocols to other potential areas of vulnerability, including the company’s financial systems.
Creating Your Cybersecurity Plan
Compliance with the DOL guidance begins with a comprehensive security plan. “A sound cybersecurity program,” the guidance states, “identifies and assesses internal and external risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information.”
The plan needs to feature policies, procedures, guidelines and standards in the following areas:
- Approval by top management,
- An annual review of the program,
- Education for relevant parties about the program,
- Documentation of the framework(s) used to assess the security of your systems, and
- Periodic audits by an outside expert to ensure that your plan is being followed.
The DOL expects your external security audit to include, among other things, audit reports, files, penetration test reports and supporting documents. Auditors also should document corrections of any cybersecurity weaknesses identified during the audit.
In addition to periodic external audits, the DOL recommends a fresh annual cybersecurity risk assessment. That’s because cybercriminals are constantly developing new tactics to break through your defenses.
“Employees are often an organization’s weakest link for cybersecurity,” according to the guidance. So, employers need a comprehensive cybersecurity awareness program that sets expectations for employees and teaches them to “recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat.”
Controlling Data Access
To manage the threat of employees inadvertently opening the door to cybercriminals, the DOL guidance calls for strong access control procedures. Examples include:
- Customizing who’s granted access to systems according to the role of individuals involved, such as general users, plan administrators, third party administrators and IT personnel,
- Using multifactor identification whenever possible, especially to access the internal networks from an external network,
- Reviewing access privileges at least every three months and, when necessary, disabling access according to your access policies,
- Monitoring the activity of authorized users and detecting unauthorized access or inappropriate actions,
- Creating a process to ensure that any sensitive information about a participant or beneficiary in the service provider’s records matches the information that the plan maintains about the participant, and
- Confirming the identity of the authorized recipient of any funds that are dispersed from the plan.
The DOL guidance addresses particular areas of risk associated with data stored on the cloud. The guidance points out: “In the cloud, data is stored with a third-party provider.” So, transparency and control over the data may be limited. Consider the following steps to help maintain scrutiny over cloud storage practices by third-party providers:
- Require a risk assessment of the provider,
- Establish minimum cybersecurity practices for the provider, and
- Ensure that guidelines and contract provisions are as robust as those you hold your retirement plan services providers to.
Post-Incident Protocols
The DOL guidance also recommends putting together a business “resiliency” plan. It’s important to have an incident response plan in place to help IT staff detect, respond to and recover from security incidents.
Post-incident best practices also include recommended actions, such as notifying law enforcement and your insurance carrier, and providing information about the breach to affected participants “to prevent or reduce injury.”
Fortify Your Defenses
Adhering to the DOL guidance can dramatically decrease the risk of a cyberattack on your company’s retirement plan. Plus, if your retirement plan does get hacked and you can prove compliance with the DOL guidance, you’ll probably have a much easier time dealing with your plan’s service providers and insurance carrier to ensure that any harm to participants is rectified — but not at your expense.
For more information, contact your legal and financial advisors. These professionals can help you update your company’s existing retirement plan cybersecurity protocols to comply with the rigorous new DOL guidelines.
We can help you tackle business challenges like these – schedule an appointment today.
© Copyright 2021. All rights reserved.

About The Author
Kirsch CPA Group is a full service CPA and business advisory firm helping businesses and organizations with accounting,…
Tags
Sign Up for Email Updates
Related Articles





















Tax Treatment of Debt Forgiveness: Watch Out for Tax Bills Delivered COD
- 01-18-23
- Kirsch CPA Group












Manufacturers: Be Aware of These 3 Business Tax Provisions Currently in Limbo
- 01-18-23
- Kirsch CPA Group



The Tax Deductible Mileage Rate for Business Driving Increases for 2023
- 01-04-23
- Kirsch CPA Group









Succession Planning Considerations for Construction Business Owners
- 12-14-22
- Kirsch CPA Group






Prevent Fraud at Your Construction Company With a Holistic Approach
- 11-30-22
- Kirsch CPA Group









Manufacturers Must Act Now to Maximize Depreciation-Related Tax Breaks for 2022
- 11-09-22
- Kirsch CPA Group



It’s Time for Businesses to Rethink Their Working Capital Practices
- 11-09-22
- Kirsch CPA Group









Social Security Wage Base and Earnings Test Amounts Increase in 2023
- 10-27-22
- Kirsch CPA Group



New Law Enhances Payroll Tax Break for Small Manufacturers’ Research Expenses
- 10-13-22
- Kirsch CPA Group







































How Buy-Sell Agreements Factor into Business Owners’ Estate Plans
- 09-14-22
- Kirsch CPA Group









SALT Cap Workaround Law Could Save Ohio Business Owners Over $100 Million
- 08-31-22
- Kirsch CPA Group
























How Manufacturing Companies Can Benefit from the Section 179 Expensing Deduction
- 08-04-22
- Kirsch CPA Group



























Could the Work Opportunity Tax Credit Help Your Construction Company?
- 06-23-22
- Kirsch CPA Group






Good News: IRS Boosts Standard Mileage Rates for Second Half of 2022
- 06-23-22
- Kirsch CPA Group
























Education Benefits Can Help You Recruit and Retain Smart Employees
- 05-26-22
- Kirsch CPA Group









Ensure Your Construction Accounting System Has the Right Features
- 05-12-22
- Kirsch CPA Group





















John Kirsch Named to Greater Butler and Warren Counties Business Hall of Fame
- 03-25-22
- Diane Glover






Manufacturers Need to Act Soon to Take Advantage of 100% First-year Bonus Depreciation
- 03-17-22
- Kirsch CPA Group



























Commission Fraud: Salespeople Getting Paid More Than They’ve Earned
- 02-04-22
- Kirsch CPA Group
















































Consider a New Approach to Meeting Your Business Real Estate Need
- 09-17-21
- Kirsch CPA Group
























Beware: Teleworking Arrangements May Cause State Tax Withholding Issues
- 08-18-21
- Kirsch CPA Group





















5 Common Construction Accounting Risks — and How to Address Them
- 07-07-21
- Kirsch CPA Group















Supreme Court Finds No Standing to Challenge a Provision of the ACA
- 06-24-21
- Kirsch CPA Group






Labor Shortage: Unlock Solutions by Evaluating Your Employment Value Proposition
- 06-09-21
- Kirsch CPA Group









Material Participation Standard is the Key to Unlocking LLC Tax Losses
- 05-27-21
- Kirsch CPA Group









Know Your Legal Obligations Under the Americans with Disabilities Act
- 05-13-21
- Kirsch CPA Group



























PPP Loan Not Forgiven? There’s a Safe Harbor for Deducting Expenses
- 12-03-20
- Kirsch CPA Group












What You Need to Know About the Deferral of Payroll Tax Obligations
- 09-15-20
- Kirsch CPA Group


















PPP Loan Forgiveness – Significant Borrower Friendly Changes on the Horizon
- 06-04-20
- John Kirsch





















Tax Filing Deadline Remains April 15 – Payment Due Extended to July 15
- 03-19-20
- John Kirsch








































































Prepare to Receive a Social Security Administration No-Match Letter
- 10-15-19
- Kirsch CPA Group





















IRS Announces Changes for Personal Use of Employer-Provided Vehicles
- 06-10-19
- Diane Glover






























Watch Out for these Tax Issues When Planning for Your Business in 2018
- 06-26-18
- Diane Glover









What Image Does Your Organization Present to Large Contributors?
- 03-15-18
- Kirsch CPA Group



8 strategies to help you adapt to economic down turn without layoffs
- 02-24-18
- Diane Glover













































Remember To Take Required Minimum Distributions at Age 70 1/2 Or Face Penalties
- 02-17-17
- Sue Schloemer







































Time is Money: Don’t Spend Valuable Time Inputting Data into QuickBooks
- 06-18-22
- Diane Glover




