In April 2021, the Department of Labor (DOL) announced official guidance relating to cybersecurity best practices, including maintaining security frameworks, reducing cyber risks, and ensuring retirement benefits are protected.
The guidance is targeted for plan sponsors, fiduciaries, and record keepers of all sizes and regulated by ERISA, as well as plan participants and beneficiaries. The release of the guidance is the first time that directions relating to cybersecurity has been outlined and issued by the DOL’s Employee Benefits Security Administration (EBSA).
Cybersecurity-related problems impact organizations of all shapes and sizes and can be a point of concern for both plan sponsors and plan participants. According to the EBSA, “there were more than 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion” as of 2018. Without adequate protection and preparation, the EBSA notes that these participants and assets will continue to be at risk for internal and external cybersecurity threats. Plan sponsors and fiduciaries need to take appropriate action to ensure that impacts are effectively mitigated.
The DOL guidance comes in three parts: “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices” and “Online Security Tips.”
3-Part DOL Guidance
Selecting a qualified and experienced service provider is a critical step in a successfully establishing a secured environment. Directed towards plan sponsors, the guidance focuses on best practices for hiring service providers. It is worth noting that the EBSA outlines the responsibility to “prudently select and monitor” service providers with strong cybersecurity practices to fall upon the employers and fiduciaries. All potential service providers should be evaluated and closely monitored.
Law firms for the plans will be instrumental in helping to draft contract language that allows the plans to audit the service providers and requires the minimum cybersecurity standards to be in place. Law firms can also offer guidance on situations where service providers do not wish to disclose this information, as the DOL does not directly address this. Several questions to ask a potential service provider include:
- What information security standards, practices, and policies are in place, and how does it compare to industry standards?
- What is the service provider’s track record with previous incidents, security breaches, or legal proceedings?
- Does the service provider have insurance policies in place that would cover any losses caused by threats or breaches?
- Is your contract with the service provider in compliance with cybersecurity and information security standards?
The second part of the DOL guidance is the part that has received the most attention: “Cybersecurity Program Best Practices.” Those in the cybersecurity industry will see this guidance as industry best practices. It is important to note that this guidance is a fiduciary responsibility of the plan to protect the participants’ data. The DOL provided a “road map” for each of the twelve areas of the Cybersecurity Best Practices, and it is essential to understand and review the details of the twelve addressed areas. Even this guidance has caused questions about the proper implementation of plans that fully outsource their administration, and this responsibility lies solely with the service provider. This is an incorrect interpretation of the guidance, and plans should expect to have a written information security program in place that will most likely
reference their service provider(s).
The guidance for record keepers and service providers outlines the basic rules to implement and ensure that the risk of fraud and loss to retirement accounts is mitigated. A snapshot of several high-level best practices include:
- Ensure the organization has a robust, well-documented cybersecurity program with strong security policies, guidelines, and standards that meet the provided criteria.
- Conduct annual risk assessments to identify potentially concealed threats.
- Third-party audits of the organization’s security controls (known as System and Organization Controls or SOC) can provide valuable information to assess risks associated with both operational and financial access to systems and data.
- Distinctly identify the senior executive and management personnel in charge of the cybersecurity program, outlining their roles and responsibilities and ensure that they meet the qualifications needed to protect the organization successfully.
- Enable access control methods such as authentication and authorization to ensure that only appropriate personnel have access to secured IT systems and data.
The final part of the guidance is related to participant education. Suppose participants have access to their plan information online. In that case, the plan should provide “Online Security Tips” in an easily accessible location on the plan’s website for all participants to review.
Plan participants and beneficiaries can reduce cyber threats and other risks to retirement accounts through consistent monitoring. Among the tips provided include:
- Adopt a firm password policy, utilizing a combination of 14 or more upper and lower case letters, numbers, and special characters. The passphrase should be unique and not used in conjunction with other accounts.
- Use multi-factor authentication, requiring computer users to provide multiple pieces of information to login to a system, program, or website.
- Avoid using public Wi-Fi- networks.
- Be vigilant for phishing attacks.
- Review and update anti-virus and firewall configurations and ensure your operating system is current.
Many fiduciaries want to know how best to develop policies, procedures, and internal controls to manage and protect plan data. Cybersecurity involves measuring relevant standards against established frameworks and adopting reasonable protections. Frameworks include (but are not limited to) The Center for Internet Security Critical Security Controls (CIS), The International Standards Organization (ISO), and The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).
Challenges have arisen in the last year related to the DOL not identifying a specific framework to establish cybersecurity alignment. Leadership teams must gather existing documentation, review current controls, and attempt to determine “where they are” and “where they need to be.”
Working with a trusted cybersecurity advisor who understands the DOL guidance and, more importantly, what is needed to satisfy the requirements is vital. The review process requires knowledge that comes only from security experience in the industry. Plan fiduciaries attempting to compile documentation and institute change based on traditional practices often repeat the process, with a DOL experienced advisor the second time.
The best practices and tip sheets outlined by EBSA should be considered by all organizations regardless of the size of the plan assets and participants. Organizations that already have a well-established cybersecurity strategy within their organization should continue to be prudent and monitor risks. Plan sponsors should continuously monitor the effectiveness of the cyber security controls of their service providers. Regulatory obligations related to cybersecurity will continue to evolve. A sound data-protection program aligned to business objectives has become critical for any organization that is the custodian/steward of information.
For more information on this topic, please contact a member of Withum’s Employee Benefit Plan Services Team.