DOL Issues Cybersecurity Guidance For Employee Benefit Plans

McNees Wallace & Nurick LLC
Contact

McNees Wallace & Nurick LLC

On Thursday April 14, 2021, the U.S. Department of Labor announced guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity. This is the first time the Department has issued guidance on cybersecurity for employee benefit plans.

The guidance includes tips for plan sponsors and fiduciaries in selecting and hiring service providers, including:

  • Compare the service provider’s information security standards, practices and policies, and audit results to the industry standards.
  • Look for service providers that follow a recognized standard for information security and use a third-party auditor to review and validate its cybersecurity practices.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the service provider’s services.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  • Make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.
  • Also, try to include provisions addressing the following in your agreements with your service providers:
    • Information security reporting,
    • Clear provisions on the use and sharing of information and confidentiality,
    • Notification of cybersecurity breaches,
    • Compliance with records retention and destruction, privacy and information security laws, and
    • Insurance coverage.

The guidance also includes cybersecurity programs’ best practices to assist plan fiduciaries and recordkeepers in their risk mitigation responsibilities, including:

  • Have a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Have a reliable annual third party audit of security controls.
  • Clearly define and assign information security roles and responsibilities.
  • Have strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Implement and manage a secure system development life cycle (SDLC) program.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.
  • Implement strong technical controls in accordance with best security practices.
  • Appropriately respond to any past cybersecurity incidents.

Lastly, the guidance includes online security tips for plan participants who access their accounts online.

The guidance may be found at here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McNees Wallace & Nurick LLC | Attorney Advertising

Written by:

McNees Wallace & Nurick LLC
Contact
more
less

McNees Wallace & Nurick LLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.