Protecting Your Data is Critical: Is your employer-sponsored retirement plan keeping up with best practices for information security?

June 29, 2021
Protecting Your Data is Critical:  Is your employer-sponsored retirement plan keeping up with best practices for information security?

In today’s world, protecting sensitive data is top-of-mind for many companies. At TriNet, we work every day to make sure that any data entrusted to us is properly safeguarded. We also work diligently to extend our data protection efforts to our service providers.

The need to protect data exchanged in connection with 401(k) plans has been highlighted recently due to guidance released by the Department of Labor (DOL). Earlier this year, the Government Accountability Office (GAO) issued a report entitled “Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans.” In the report, the GAO found that, while plan sponsors and their service providers (record keepers, third party administrators, custodians and payroll providers) are required to exchange the sensitive personally identifiable information of the over 100 million individuals who participate in defined contribution plans, the DOL had not clarified “the fiduciary responsibility for mitigating cyber risks.”

Following the GAO’s report, the DOL issued its first-ever cybersecurity guidance for private sector employer-sponsored retirement plans. The DOL’s guidance, which was issued on April 14th, was intended to complement existing DOL regulations on electronic records and disclosures to plan participants and beneficiaries. The DOL’s guidance is inclusive of three distinct documents: Tips for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips. The DOL’s “Tips for Hiring a Service Provider” includes six issues the DOL recommends that plan sponsors and fiduciaries address when selecting a service provider (including specific factors that should be used to analyze a service provider’s cyber risk and contractual requirements that should be included in any agreement with a service provider), whereas the “Cybersecurity Program Best Practices” is meant to aid plan fiduciaries and record keepers in their cybersecurity management responsibilities (including recommendations with respect to annual audits of security controls and risk assessments). The “Online Security Tips” is meant as resource for participants and beneficiaries. Taken together, the DOL’s guidance is a great starting point for companies to ask important questions of their 401(k) providers and think critically about how their data is being protected. For more information, check out the DOL’s Tips for Hiring a Service Provider and Cybersecurity Program Best Practices!

At TriNet, we recognize that the data our customers entrust to us—whether as a participant in the 401(k) plans TriNet sponsors or otherwise—is often an individual’s most sensitive personal data. That is why we welcome the DOL’s guidance, as it is already a cornerstone of our mission to ensure that we provide all of the data we handle in connection with our 401(k) plans with the type of protections it deserves. This includes being transparent about how we handle our customers’ data, in addition to implementing industry-leading privacy and information security practices that we apply to our role as a plan sponsor and to the service providers we work with.

This communication is for informational purposes only; it is not legal, tax or accounting advice; and is not an offer to sell, buy or procure insurance.

This post may contain hyperlinks to websites operated by parties other than TriNet. Such hyperlinks are provided for reference only. TriNet does not control such web sites and is not responsible for their content. Inclusion of such hyperlinks on does not necessarily imply any endorsement of the material on such websites or association with their operators.

Additional Articles
ESAC Accreditation
We comply with all ESAC standards and maintain ESAC accreditation since 1995.
Certified PEO
A TriNet subsidiary is classified as a Certified Professional Employer Organization by the IRS.