DOL Issues Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Recordkeepers, Plan Participants – Part 2

Morgan Lewis - Tech & Sourcing

Morgan Lewis - Tech & Sourcing

Last week, we posted on the guidance issued by the US Department of Labor (DOL) for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on cybersecurity best practices. Last week’s post focused on the guidance provided for hiring a service provider. In this week’s post, we will highlight some the DOL’s cybersecurity program best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data.

  1. Formal, well-documented cybersecurity program. The service provider should have a formal program under which the service provider implements security policies, procedures, guidelines, and standards to protect the security of its IT infrastructure and data stored on its systems. The guidance lists topics that the program should cover, including access controls and identity management, business continuity and disaster recovery, asset management, incident response, and physical security.
  2. Annual third-party audit of security controls. The service provider should have an independent auditor assess its security controls on an annual basis. As part of the audit, the service provider should provide a report to the plan fiduciary and remediate weaknesses identified by the audit.
  3. Strong access controls. Access control is a method of authenticating users and limiting access to systems and data. Some examples of access controls are implementation of access privileges on a need-to-access basis, use of complex passwords, and multifactor authentication.
  4. Annual training. A service provider’s cybersecurity program should include annual training of the service provider’s personnel on its policies, procedures, guidelines, and standards for protecting IT systems and data.
  5. Business continuity and disaster recovery. The service provider should have one or more business continuity and disaster recovery plans to recover, resume, and maintain services following a disruption.
  6. Encryption. The service provider should encrypt data to protect its confidentiality and integrity.
  7. Technical controls. The service provider should implement technical controls to protect its IT systems and data. Examples of technical controls are anti-virus software, routine patch management, and data backup.
  8. Cybersecurity incident response plan. The service provider should have a response plan for cybersecurity incidents that includes, without limitation, providing notice of the incident to the plan sponsor and/or plan fiduciary, investigating the incident, complying with applicable data privacy laws and remediating the issue(s) that caused the incident.

We encourage our readers to review the guidance for more information, including information on additional cybersecurity best practices.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis - Tech & Sourcing | Attorney Advertising

Written by:

Morgan Lewis - Tech & Sourcing

Morgan Lewis - Tech & Sourcing on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.