On April 14, 2021, the U.S. Department of Labor (DOL) announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on protecting the retirement benefits of America’s workers. The new guidance left most plan sponsors and service providers scrambling to determine their next steps and whether they were in compliance with the newly identified Cybersecurity Program Best Practices.
Moore Colson created an assessment approach for this brand-new framework and has partnered with several organizations to assess their compliance with the DOL’s best practices. We learned a lot through these engagements, and these lessons can help other plan sponsors and service providers still working toward compliance including: the creation of a new “framework”, the sufficiency of SOC 2 control objectives to address the framework, the need for vendor management which includes SOC report review, and results of reviewing the SOC reports of large, national service providers as a part of our assessments.
DOL Best Practices Represents a New Framework
As you read through the 12 best practices, you see the influence of National Institute of Standards and Technology (NIST), American Institute of Certified Public Accountants (AICPA)’s System and Organization Controls (SOC) 2, IT general controls and good overall IT governance. While the DOL didn’t officially call the best practices a framework, that is what it is! The best practices act as control objectives. The detailed recommendations within each best practice act as expected controls.
Is a SOC 2 Audit Sufficient to All of the Requirements of the DOL Framework?
The AICPA’s SOC 2 Trust Services Criteria for security does address most of the DOL’s framework. However, there are a few notable gaps where the DOL’s best practices don’t precisely map back to a standard SOC 2 criteria/objective:
Criteria 5 – Strong Access Control Procedures
Gaps Identified:
- Procedures are implemented to ensure that any sensitive information about a participant or beneficiary in the service provider’s records matches the plan’s information about the participant.
- Confirm the identity of the authorized recipient of the funds.
Criteria 6 – Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider are Subject to Appropriate Security Reviews and Independent Security Assessments
Gaps Identified:
- Ensuring that guidelines and contractual protections, at minimum, address the following for a third-party service provider:
- Access control policies and procedures, including the use of multi-factor authentication.
- Encryption policies and procedures.
- Protocol for a cybersecurity event that directly impacts a customer’s information system(s) or nonpublic information.
Criteria 8 – Secure System Development Life Cycle
Gaps Identified:
- Procedures, guidelines and standards that ensure organizations securely develop in-house applications. These guidelines would include such protections as:
- Configuring system alerts to trigger when someone changes an individual’s account information.
- Requiring additional validation if someone changes personal information before requesting a distribution from the plan account.
- Requiring additional validation for distributions (other than a rollover) of the entire balance of the participant’s account.
- Procedures for evaluating or testing the security of externally developed applications, including periodic reviews and updates.
Criteria 11 – Strong Technical Controls Implementing Security Best Practices
Gaps Identified:
- Routing data backups (preferably) automated.
- These controls aren’t required under the Security criteria but are wholly covered by the Availability criteria.
Criteria 12 – Responsiveness to Cybersecurity Incidents or Breaches
Gaps Identified:
- When a cybersecurity breach or incident occurs, organizations should take appropriate action to protect the plan and its participants, including:
- Giving affected plans and participants the information necessary to prevent/reduce injury.
Service Providers will need to add specific controls to their existing SOC 2 control objectives to address the identified gaps.
Vendor Management and SOC Report Review
For our engagements, we reviewed 10+ unique SOC 2 reports from large asset holders with billions of dollars of assets down to hosted solutions that only provide payroll processing. What we consistently identified is that employee benefit plans (EBP) must have a strong vendor management program in place that performs the following:
- Review each service provider’s SOC report on an annual basis.
- Map controls in each SOC report to the best practices framework control objectives.
- Reviews results of testing for each mapped control for any exceptions.
- Review each SOC report’s System Description for the best practices framework controls that require judgment (e.g., Criteria 6) for sufficiency to the Plan’s needs.
- Define a plan for assessing the impact of identified exceptions and how the Plan will resolve them internally with mitigating controls or directly with the vendor.
- Define a plan/approach for service providers that do not have a SOC audit performed.
- Report results to the EBP’s risk management committee.
SOC 2 Reports Reviewed
Many of the larger service providers are keen to demonstrate compliance with the DOL framework within their SOC 2 report. Accordingly, they have created new controls to ensure that all 12 framework best practices are addressed (including the gaps identified above) and mapped to a SOC 2 control objective. For the average service provider, we noted that most still need to work to strengthen the controls around the gaps identified above.
Overall, we were encouraged by what we saw in reviewing the service provider environments that had SOC 2 audits performed, as well as our detailed testing of those environments without an external audit performed.
The new DOL framework has provided essential cybersecurity guidelines for all parties in the EBP ecosystem. If you need assistance with an assessment or have general questions, please feel free to reach out to us, and we will partner with you to help you comply with this new framework.
