On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration (“EBSA”) issued, for the first time, guidance on best practices for maintaining cybersecurity. The guidance came in the form of three documents:
- “Cybersecurity Program Best Practices,” which is intended to assist plan fiduciaries and service providers in meeting their responsibilities to manage cybersecurity risks;
- “Tips for Hiring a Service Provider,” which is intended to assist plan sponsors and fiduciaries in selecting and monitoring service providers with strong cybersecurity practices; and
- “Online Security Tips,” which is intended to assist plan participants and beneficiaries who check their retirement accounts online in reducing the risk of fraud and loss.
The following is a high-level summary of EBSA’s cybersecurity guidance.
Cybersecurity Program Best Practices
This document identifies a number of best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data. In addition, EBSA notes in the guidance that plan fiduciaries who are responsible for hiring such service providers “have an obligation to ensure proper mitigation of cybersecurity risks” and should take these best practices into consideration when making their hiring decisions.
The best practices identified in this document include:
- Maintaining a Formal, Well Documented Cybersecurity Program. The guidance states that a prudently designed cybersecurity program will:
o protect the infrastructure, information systems and the information in the systems from unauthorized access, use, or other malicious acts;
o establish strong security policies, procedures, guidelines, and standards; and
o have formal and effective policies and procedures.
- Conducting Annual Risk Assessments. The guidance notes that because IT threats are constantly changing, service providers should periodically conduct risk assessments in order to identify, estimate, and prioritize information system risks, and should codify the scope, methodology and frequency of such risk assessments.
- Engaging Third-Party Auditors to Conduct Annual Audits of Security Controls. The guidance notes that engaging an independent auditor to assess a service provider’s security controls would provide “a clear, unbiased report of existing risks, vulnerabilities, and weaknesses.”
- Clearly Defining and Assigning Information Security Roles and Responsibilities. The guidance notes that to be effective, a cybersecurity program must be managed at the senior executive level (typically by a Chief Information Security Officer) and executed by qualified personnel.
- Maintaining Strong Access Control Procedures. The guidance notes that it is important for service providers to maintain strong “access control” procedures which ensure that users of IT systems and data are who they say they are and are given access appropriate to their roles within the organization. The guidance includes best practices for authentication and authorization, the two main components of access control.
- Subjecting Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider to Appropriate Security Reviews and Independent Security Assessments. The guidance acknowledges the security issues and challenges associated with cloud computing and notes that plan fiduciaries “must understand the security posture of the cloud service provider in order to make sound decisions on using the service.” The guidance identifies best practices for ensuring that third-party service providers maintain adequate security controls, including requiring risk assessments and defining minimum cybersecurity practices.
- Conducting Periodic Cybersecurity Awareness Training. Noting that “[e]mployees are often an organization’s weakest leak for cybersecurity,” the guidance emphasizes the importance of maintaining a comprehensive cybersecurity awareness program for all personnel and identifies identity theft as a key topic of training.
- Maintaining an Effective Business Resiliency Program. The guidance addresses the importance of maintaining a “business resiliency program” that enables an organization to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and data. The guidance identifies the components of such a program and associated best practices.
- Encrypting Sensitive Data. The guidance states that a cybersecurity program should implement and continually incorporate current and prudent standards with respect to data encryption to protect the confidentiality and integrity of sensitive data, both in storage and in transit.
- Appropriately Responding to Cybersecurity Breaches. The guidance acknowledges that cybersecurity breaches can happen, but notes that appropriate action should be taken to protect affected plans and their participants, including:
o informing law enforcement and the appropriate insurer;
o notifying affected plans and participants in accordance with agreed upon notification requirements;
o giving the affected plans and participants the information necessary to prevent or reduce injury;
o investigating the incident; and
o fixing the problems that caused the breach.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
In this document, EBSA notes that plan sponsors who rely on service providers to maintain plan records and keep participant data confidential and plan accounts secure have a fiduciary obligation under ERISA to prudently select and monitor such service providers. In order to assist plan sponsors in meeting their fiduciary obligations, the guidance identifies certain actions a plan sponsor should take when selecting such a service provider, including:
- Asking about the service provider’s information security standards, practice and policies, and comparing them to industry standards adopted by other service providers;
- Asking the service provider how it validates its cybersecurity practices;
- Evaluating the service provider’s track record by reviewing public information regarding cybersecurity incidents and legal proceedings relating to its services;
- Asking whether the service provider has experienced cybersecurity breaches and, if so, how the service provider responded to the breaches; and
- Asking whether the service provider has insurance policies that would cover losses resulting from cybersecurity breaches.
The guidance also notes that when contracting with a service provider, plan sponsors should try to include terms that would enhance cybersecurity protection for the plan, including provisions that:
- Require the service provider annually obtain a third-party audit to determine compliance with its information security policies and protocols;
- Address the service provider’s obligations with respect to preventing unauthorized use or disclosure of confidential information;
- Identify how quickly the service provider must notify the plan sponsor of cybersecurity breaches;
- Specify the service provider’s obligations to meet all applicable legal and regulatory requirements pertaining to the privacy, confidentiality, or security of participants’ personal information; and
- Require the service provider to maintain insurance coverage.
Online Security Tips
This document advises plan participants and beneficiaries with online retirement accounts to take certain actions to reduce the risk of fraud and loss, including:
- Registering and routinely monitoring online accounts;
- Using strong and unique passwords and multi-factor authentication;
- Keeping personal contact information current;
- Closing or deleting unused accounts;
- Accessing online accounts through cellular or home networks instead of free Wi-Fi networks;
- Using trustworthy antivirus software and keeping the software up to date; and
- Reporting identity theft and cybersecurity incidents.
We will continue to monitor any future developments in this area.