In a coauthored article for PLANADVISER, benefits and executive compensation partner Fred Reish and counsel Joan Neri answered a question from a registered investment adviser (RIA) regarding the Department of Labor’s (DOL) guidance on fiduciaries’ responsibilities regarding service provider cybersecurity practices.
The RIA, who assists 401(k) plan committees in selecting and monitoring recordkeepers and in searching for new recordkeepers, asked Reish and Neri, “What do I need to know to assist the committees?”
The authors provided an overview of the DOL cybersecurity guidance and outlined three categories of cybersecurity factors that a committee should consider to prudently select and monitor the recordkeeper for its plan.
- Information about the recordkeeper’s standards, practices and policies
- Information about the recordkeeper’s track record, including the way it handled any past security incidents and breaches
- Suggested provisions to include in the service agreement
Reish and Neri also explained other provisions that the DOL suggests an agreement with a recordkeeper should contain, such as those relating to confidentiality, response to cybersecurity breaches and compliance with privacy and security laws.