The DOL's Employee Benefits Security Administration issued guidance April 14 on cybersecurity best practices for recordkeepers, plan sponsors and fiduciaries, participants and beneficiaries.
EBSA has issued regulations on electronic records and disclosures to plan participants and beneficiaries in the past, but this is the first time it has issued specific cybersecurity guidance. The guidance comes in three forms: cybersecurity program best practices for recordkeepers and other service providers, tips for plan sponsors on selecting a service provider, and general online security tips.
Cybersecurity Program Best Practices
EBSA suggests best practices for recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries in choosing service providers. EBSA argues that service providers should:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle program.
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Tips for Hiring a Service Provider
The DOL offers the following tips in order to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers.
- Ask the service provider:
- about their information security standards, practices and policies, and audit results;
- how it validates its practices;
- what levels of security standards it has met and implemented; and
- whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Look for:
- service providers that follow a recognized standard for information security and use an outside auditor to review and validate cybersecurity; and
- contract provisions that give you the right to review audit results demonstrating compliance with security standards.
- Compare the service provider’s standards to those other financial institutions follow.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to its services.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
- Make sure that a contract with a service provider requires ongoing compliance with cybersecurity and information security standards Try to include in the contract terms that would enhance cybersecurity protection such as those concerning the following.
- Information Security Reporting. Require the service provider to obtain a third-party audit annually to determine compliance with information security policies and procedures.
- Clear Provisions on the Use and Sharing of Information and Confidentiality. Spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse.
- Notification of Cybersecurity Breaches. Identify how quickly the service provider will provide notification of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address its cause.
- Compliance with Laws Concerning Records Retention and Destruction, Privacy and Information Security. Specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.
- Insurance. Consider requiring insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.
General Online Security Tips
EBSA suggests that the following practices can reduce the risk of fraud and loss to retirement accounts, not only for plan sponsors but also for plan participants.
- Register, set up and routinely monitor online accounts.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep personal contact information up to date.
- Close or delete unused accounts.
- Be wary of free wifi.
- Beware of phishing attacks.
- Use antivirus software and keep apps and software current.
- Know how to report identity theft and cybersecurity incidents.
Acting Assistant Secretary for Employee Benefits Security Ali Khawar hailed the guidance as “an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information.” Khawar added, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime.”