On April 14, 2021, the Department of Labor’s Employee Benefits Security Administration (“ZIEB“) issued, for the first time, guidance on best practices for maintaining cybersecurity. The guidance comes in the form of three documents:
- “Cyber Security Program Best Practices”, which aims to help plan trustees and service providers meet their responsibilities for managing cyber security risks;
- “Tips for Hiring a Service Provider”, which is intended to help plan sponsors and trustees select and monitor service providers with strong cybersecurity practices; and
- “Online Safety Tips,” which aims to help plan members and beneficiaries who verify their retirement accounts online reduce the risk of fraud and loss.
The following is a high-level summary of EBSA’s cybersecurity guidelines.
Cyber Security Program Best Practices
This document identifies a number of good practices for use by archivists and other service providers responsible for computer systems and data related to plans. In addition, EBSA notes in the guidelines that plan trustees who are responsible for hiring such service providers “have an obligation to ensure appropriate mitigation of cybersecurity risks” and should take these best practices into consideration. consideration when making hiring decisions.
The best practices identified in this document include:
- Maintain a formal and well-documented cybersecurity program. The guidelines state that a prudently designed cybersecurity program:
o protect the infrastructure, information systems and information contained in the systems against unauthorized access, use or other malicious acts;
o establish strong security policies, procedures, guidelines and standards; and
o have formal and effective policies and procedures.
- Carrying out annual risk assessments. The guide notes that due to the constant evolution of IT threats, service providers must periodically conduct risk assessments in order to identify, estimate and prioritize risks related to information systems, and must codify the scope, methodology and frequency of these risk assessments.
- Engage third party auditors to perform annual audits of security controls. The guide notes that hiring an independent auditor to assess a service provider’s security controls would provide “a clear and impartial report on existing risks, vulnerabilities and weaknesses.”
- Clearly define and assign information security roles and responsibilities. The guide notes that to be effective, a cybersecurity program must be managed at the senior management level (usually by an information security officer) and executed by trained personnel.
- Maintain strong access control procedures. The guide notes that it is important for service providers to maintain strong “access control” procedures that ensure that users of IT systems and data are who they claim to be and have appropriate access. their roles within the organization. The guide includes best practices for authentication and authorization, the two main components of access control.
- Subject assets or data stored in a cloud or managed by a third-party service provider to appropriate security reviews and independent security assessments. The guide recognizes the security issues and challenges associated with cloud computing and notes that plan trustees “must understand the security posture of the cloud service provider in order to make informed decisions about using the service.” The guide identifies best practices to ensure that third-party service providers maintain adequate security controls, including requiring risk assessments and defining minimum cybersecurity practices.
- Organize periodic cybersecurity awareness training. Noting that “[e]employees are often an organization’s weakest cybersecurity leak, ”the guide stresses the importance of maintaining a comprehensive cybersecurity awareness program for all staff and identifies identity theft as a key topic training.
- Maintain an effective business resilience program. The guidelines discuss the importance of maintaining a “business resilience program” that enables an organization to quickly adapt to disruptions while maintaining continuous business operations and protecting people, assets and data. The guide identifies the components of such a program and associated best practices.
- Encryption of sensitive data. The guidelines state that a cybersecurity program should continuously implement and incorporate current and prudent data encryption standards to protect the confidentiality and integrity of sensitive data, both in storage and in transit.
- Respond appropriately to cybersecurity breaches. The guide recognizes that cybersecurity breaches can occur, but notes that appropriate steps must be taken to protect affected plans and their participants, including:
o inform the police and the appropriate insurer;
o notify affected plans and participants in accordance with agreed notification requirements;
o give affected plans and members the information necessary to prevent or reduce injuries;
o investigate the incident; and
o resolving the issues that caused the violation.
Tips for hiring a service provider with strong cybersecurity practices
In it, EBSA notes that plan sponsors who rely on service providers to maintain plan records and keep member data confidential and plan accounts secured have a fiduciary duty under ERISA to carefully select and monitor these service providers. In order to help plan sponsors meet their fiduciary obligations, the guidelines identify certain steps that a plan sponsor should take when selecting such a service provider, including:
- Ask questions about the service provider’s information security standards, practices and policies and compare them to industry standards adopted by other service providers;
- Ask the service provider how he validates his cybersecurity practices;
- Assess the service provider’s track record by reviewing public information regarding cybersecurity incidents and legal proceedings relating to its services;
- Ask if the service provider has experienced cybersecurity breaches and, if so, how the service provider responded to the breaches; and
- Ask if the service provider has insurance policies that would cover losses resulting from cybersecurity breaches.
The guidelines also state that when contracting with a service provider, plan sponsors should try to include terms that would enhance cybersecurity protection for the plan, including provisions that:
- Require the service provider to obtain an annual third-party audit to determine compliance with its information security policies and protocols;
- Meet the service provider’s obligations regarding the prevention of unauthorized use or disclosure of confidential information;
- Determine how quickly the service provider must notify the plan sponsor of cybersecurity breaches;
- Specify the obligations of the service provider to meet all applicable legal and regulatory requirements relating to the confidentiality, confidentiality or security of participants’ personal information; and
- Require the service provider to maintain insurance coverage.
Online safety tips
This document advises plan members and beneficiaries with an online retirement account to take certain steps to reduce the risk of fraud and loss, including:
- Regularly register and monitor online accounts;
- Use strong and unique passwords and multi-factor authentication;
- Maintain personal contact information;
- Closing or deleting unused accounts;
- Access online accounts through cellular or home networks instead of free Wi-Fi networks;
- Use reliable antivirus software and keep the software up to date; and
- Reporting identity theft and cybersecurity incidents.
We will continue to monitor any future developments in this area.