On April 14, 2021, the U.S. Department of Labor (DOL) made good on a promise from October 2020 to introduce some “informal” guidance on cybersecurity best practices for plan sponsors, plan fiduciaries, recordkeepers and plan participants. This is the first time that the department’s Employee Benefits Security Administration has issued cybersecurity guidance. The guidance is divided into three categories: Tips for Hiring a Service Provider, Cybersecurity Program Best Practices and Online Security Tips.
Tips for Hiring a Service Provider – Plan Sponsors
The records and transactions of employee benefit plans are often maintained by a third-party service provider. Much of this information is confidential participant data as well as monetary assets that need protection from both internal and external cybersecurity threats. As discussed in our previous blog post from December 2020, Plan Sponsors should vet service providers to ensure they have strong cybersecurity practices. Cybersecurity practices are becoming one of the top criteria considered when selecting a service provider. To help business owners and fiduciaries meet their responsibilities under the Employee Retirement Income Security Act (ERISA) to prudently select and monitor such service providers, the DOL has prepared the following tips for plan sponsors of all sizes.
- 1) Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
- 2) Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- 3) Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to vendor’s services.
- 4) Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- 5) Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s employees or contractors, and breaches caused by external threats, such as a third-party hijacking a plan participants’ account).
- 6) When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.
If the service provider does not adequately address these points within the service agreement or contract, the plan sponsor could be liable for damages related to fiduciary responsibilities. If you haven’t done so already, it is time to pull out those service agreements and contracts to review these areas and start asking the appropriate questions. Refer to the DOL’s document for suggested terms in the contract that would enhance cybersecurity protection for the plan and its participants.
Cybersecurity Program Best Practices – Service Providers
The Employee Benefits Security Administration has prepared the following best practices for use by record-keepers and other service providers responsible for plan-related IT systems and data. These best practices are also intended for plan fiduciaries making prudent decisions on the service providers they should hire. Plans’ service providers should:
- 1) Have a formal, well-documented cybersecurity program.
- 2) Conduct prudent annual risk assessments.
- 3) Have a reliable annual third-party audit of security controls.
- 4) Clearly define and assign information security roles and responsibilities.
- 5) Have strong access control procedures.
- 6) Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- 7) Conduct periodic cybersecurity awareness training.
- 8) Implement and manage a secure system development life cycle (SDLC) program.
- 9) Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- 10) Encrypt sensitive data stored and in transit.
- 11) Implement strong technical controls in accordance with best security practices.
- 12) Appropriately respond to any past cybersecurity incidents.
If that list is an overwhelming plan to tackle and develop, there are firms that offer cybersecurity assessments, vulnerability scanning, penetration testing and assessments/consulting/training for incident response plans, breach management, business continuity plans and disaster recovery. Get a third-party IT expert involved that can help you tackle your areas of vulnerability. Refer to the DOL’s document for more information on these best practices.
Online Security Tips – Plan Participants and Individuals
Individuals are often the weakest link in defense against cybercriminals. Clicking the wrong click, being too trusting or not being well informed can lead to wrong choices. The DOL recognized the need to remind individuals of these important practices:
- 1) Register, set up and routinely monitor your online accounts.
- 2) Use strong and unique passwords.
- 3) Use multi-factor authentication.
- 4) Keep personal contact information current.
- 5) Close or delete unused accounts.
- 6) Be wary of free WI-FI networks.
- 7) Beware of phishing attacks.
- 8) Use antivirus software and keep apps and software current.
- 9) Know how to report identity theft and cybersecurity incidents.
- 10) The FBI and the Department of Homeland Security have set up valuable sites for reporting cybersecurity incidents:
Refer to the DOL’s document for more information on these best practices.
The Bottom Line
This guidance issued is a first step in highlighting an increasingly important issue within the benefit plan landscape. The DOL previously announced they expect an increased focus on the adequacy of cybersecurity programs during their investigations, especially for larger plans. Their focus will ensure that plans are screening the providers they are using for good cybersecurity practices. As cybersecurity continues to gain attention, we expect regulators to continue to evaluate, inquire and require evidence that these discussions are being conducted and steps are being implemented. Take this guidance to heart and make sure you are taking steps to combat cybercrime.
Candace Jackson, CPA, is a Partner in Moore Colson’s Business Assurance Practice. She manages audit and review teams and serves as a Practice Area Leader in the firm’s Employee Benefit Plan Practice.