On April 14, 2021, the DOL’s Employee Benefits Security Administration (EBSA) issued long-awaited guidance designed to protect participants from both internal and external cybersecurity threats. The guidance is far-reaching and is directed at plan sponsors, plan fiduciaries, recordkeepers, and plan participants. This is the first time the DOL has issued guidance on cybersecurity for employee benefit plans and is a welcome step forward as it provides best practices and tips to help mitigate cybersecurity risks.
The guidance is set forth in three parts:
Tips for Hiring a Service Provider: Provides practical steps plan sponsors and fiduciaries can take when selecting retirement plan service providers.
- Ask about the service provider’s information security standards, practices, and policies, as well as audit results, and compare them to the industry standards adopted by other financial institutions.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendors’ services.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third-party hijacking a plan participant’s account).
- When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants.
Cybersecurity Program Best Practices: Includes best practices designed to assist plan fiduciaries and recordkeepers in managing cybersecurity risks.
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Have clearly defined and assigned information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that assets or data stored in the cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct cybersecurity awareness training at least annually for all personnel and update to reflect risks identified by most recent risk assessment.
- Implement a Secure System Development Life Cycle Program (SDLC).
- Have a business resiliency program that addresses business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Have strong technical controls implementing best practices.
- Take appropriate action to respond to cybersecurity incidents and breaches.
Online Security Tips: Directed at plan participants and beneficiaries who check their retirement accounts online. It provides basic rules to reduce the risk of fraud and loss.
- Register, set up, and routinely monitor your online account.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep personal contact information current.
- Close or delete unused accounts.
- Be wary of free Wi-Fi.
- Beware of phishing attacks.
- Use anti-virus software and keep apps and software current.
- Know how to report identity theft and cybersecurity incidents.
Additional information on the tips and best practices summarized above can be found in three documents provided by the DOL.
- Tips for Hiring Service Providers with Strong Cybersecurity Practices
- Cybersecurity Program Best Practices
- Online Security Tips
Did You Know?
As of 2018, the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.