DOL Issues Cybersecurity Guidance for ERISA Plans

The importance of robust cybersecurity controls and policies was on full display recently as the news of a ransomware cyberattack on the Colonial pipeline emerged. Cybercriminals were able to disrupt the delivery of fuel to the east coast pushing many into a frenzy due to dwindling fuel supplies. It has been reported the company paid a $5M ransom to regain control and resume distributing needed supplies. The incident reveals the high level of risk faced by bad actors (cybercriminals) from around the globe. While this attack focused on an energy distribution network, often financial institutions, including retirement plans, are also targeted.  As a result, it is important for Atlanta plan sponsors to implement and review cybersecurity controls. The Department of Labor (DOL) recently issued guidelines to help plan participants from becoming a victim of fraud. It was released as part of a series designed to educate plan sponsors, administrators, and participants about online security best practices. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.

DOL Online Security Tips

• Strong Passwords – Most people like to use passwords that are easy to remember which often means they are short, contain no special characters, and are not changed often. The guidance highlights best practices for password management which includes using letters, numbers, and special characters and a requirement that passwords be longer than 14 characters. In addition, participants are advised not to write passwords down (unless using a secure manager), never share credentials, and to change passwords every 120 days or immediately after a data breach.
• Dual Factor Authentication – This is a process that requires a user to not only enter the correct password but also to provide a secondary credential to verify their identity. Common examples include having a special code sent to the email on file or to a mobile device. This additional step is effective at reducing the number of phishing, automated credential stuffing, and guessing attacks.
• Close Unused Accounts – The smaller the online presence the less opportunity there is for information to be stolen by bad actors. Therefore, the DOL recommends closing old retirement plan accounts, or terminate online access, to ensure personal information remains secure. For accounts that are not regularly monitored, it is a good idea to sign up for automatic updates to ensure participants can monitor activity.
• Avoid Free Wi-Fi – While convenient these networks pose serious security risks which open the door for bad actors to solicit or steal personal information, including passwords and other information. When in a public setting it is better to access the web through a cell phone or other mobile device.
• Watch Out for Phishing Attacks – These attacks are designed to trick a user into sharing account credentials such as passwords, account numbers, and other sensitive information for the purpose of accessing the account. Phishing messages often look authentic but are designed to have users click on dangerous links where credentials are collected. The most common warning signs of a phishing attack, include:
  • An unexpected message from an unknown person or service which is not being used.
  • The message contains poor English grammar and spelling.
  • Misleading links that send the user to an unexpected URL. Check this by hovering the mouse over the link (without clicking on it) so the actual link destination appears on the bottom left of the screen.
  • Email asking for account numbers or other personal information. Remember, that legitimate plan providers do not send messages asking for such information electronically.

Contact Us

The unfortunate reality is that users often pose the greatest risk because they are a key variable difficult to control. As a result, sharing these tips with employees and plan participants is an important step in the risk management process. If you have questions about the information outlined above or need assistance with the plan audit or other ERISA needs, Wilson Lewis can help. For additional information call us at 770-476-1004 or click here to contact us. We look forward to speaking with you soon.