Cybersecurity Considerations for the DOL’s New Electronic Disclosure Rule

The U.S. Department of Labor (DOL) announced a proposed new rule in October 2019 that would allow retirement plan sponsors to post plan disclosures online, rather than having to deliver this information via physical mail. While the DOL has emphasized that the proposed rule should result in increased convenience and reduced printing and mail expenses for companies, plan sponsors should very seriously consider the cybersecurity issues that accompany the electronic disclosure of sensitive plan and participant information. In fact, it is their fiduciary responsibility to do so.

Background on the Electronic Disclosure Rule

The proposed “Retirement Plans Electronic Disclosure Safe Harbor Rule” offers plan sponsors more options to fulfill their obligation to provide required documents and disclosures to participants and beneficiaries. The DOL expects that the rule, when finalized, will save about $2.4 billion on printing and mailing costs over the next 10 years. The rule applies to most plans covered by the 1974 Employee Retirement Income Security Act (ERISA), but it doesn’t cover employee welfare plans.

The proposed rule includes a safe harbor option allowing plan sponsors to put certain notices on a website, instead of sending paper announcements via physical mail. Before the transition to electronic disclosures, participants will be notified of the coming change and will be provided the opportunity to opt out of the new procedure and continue receiving printed information via mail.

Electronic Disclosure Heightens Cybersecurity Risks

While transitioning to a modern communication format to increase convenience and lower costs sounds very attractive, plan sponsors have a fiduciary responsibility to ensure that participants’ data are protected. The proposed rule remains vague regarding data protection requirements, simply stating that plan administrators must take reasonable measures to ensure confidential information is safeguarded.

Benefit plan documents carry a multitude of sensitive information, such as Social Security numbers, account balances, and home addresses. BDO research into “Cybersecurity Guidelines for C-Suite Executives” shows that intellectual property, personally identifiable information, protected health information, and payment and card information are highly valuable data points targeted by hackers. Even if this information is stored by service providers, plan sponsors are still obligated by law to ensure the information is protected.

How Plan Sponsors Can Prepare for Electronic Disclosure

The good news is that plan sponsors have time to address potential cybersecurity issues as well as review and update current processes before the proposed rule goes into effect. Once the electronic disclosure rule is finalized, it will become effective 60 days after it is published in the Federal Register. The rule will not apply to plans until January 1 of the year following the final rule, so the soonest the rule will be in effect is January 1, 2021.

In the interim, plan sponsors should take a close look at the cybersecurity controls needed to protect sensitive data and other information. BDO recommends a threat-based cybersecurity approach to prevent cyber-attacks and limit the costs associated with a potential breach. This approach analyses a company’s unique threat profile, identifies at-risk areas, and creates a range of proactive steps to safeguard sensitive information.

Some guidelines to a threat-based cybersecurity approach include:

  • Hiring an independent firm to evaluate specific areas, including vulnerabilities with email, networks, endpoints, spear-phishing, and other security assessments

  • Using advanced software encryption, including two-factor authentication, above and beyond password identification

  • Offering effective cybersecurity education and training for the entire workforce

  • Developing a solid governance plan to map, track, and secure all data

  • Reviewing and testing the organization’s Incident Response Plan (IRP)

  • Verifying compliance of the organization’s cybersecurity plan among service providers

Related Resources

Blog Post

4 Considerations for Nonprofits Planning to Embrace AI

April 17, 2024
Blog Post

4 Considerations for Nonprofits Planning to Embrace AI

April 17, 2024

BDO Director of Data and AI, Noah Mattern, participated in a series of AI strategy sessions with clients toward the end of 2023, and one thing rang true throughout the conversations: both non- and for-profit organizations across all sectors and industries are leaning into the power of AI but are often face challenges in fully implementing it.

Read More

Article

Risk Mitigation Strategies for Retailers Rolling Out AI Solutions

April 15, 2024
Article

Risk Mitigation Strategies for Retailers Rolling Out AI Solutions

April 15, 2024

Artificial intelligence (AI) is transforming the retail industry, offering new opportunities for enhancing customer experience, optimizing operations, and increasing revenue. However, AI also poses some challenges and risks.

Read More

mic_none
Podcast

60-second Retail Podcast - Episode 169: 2024 Retail CFO Outlook Survey: AI is Taking Off in Retail

April 9, 2024
Podcast

60-second Retail Podcast - Episode 169: 2024 Retail CFO Outlook Survey: AI is Taking Off in Retail

April 9, 2024

Tune into this episode of 60-second Retail, to hear Kirstie Tiernan, Principal - Data & AI at BDO Digital USA, explain why AI is taking off in retail and provide some advice on how to get your company started on the AI journey if you haven’t yet.

Read More

Article

New DOL Regulations May Bring Clarity to ESOP Valuation Process

April 8, 2024
Article

New DOL Regulations May Bring Clarity to ESOP Valuation Process

April 8, 2024

While a legal framework for employee stock ownership plans (ESOPs) was established by the Employee Retirement Income Security Act of 1974 (ERISA), formal guidance for determining the fair market value (FMV) of private company shares sold to an ESOP has not been issued in the 50 years since then.

Read More