Department of Labor Issues New Cybersecurity Guidance
In April 2021, the U.S. Department of Labor (DOL) announced new cybersecurity guidance for protecting ERISA-covered plan data from internal and external cybersecurity threats. The guidance is specifically “directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act, and plan participants and beneficiaries” and is designed to mitigate cyber threats to pension plans and contribution plans.
The guidance is comprised of three supplementary documents including 1) “Tips for Hiring a Service Provider”, 2) “Cybersecurity Program Best Practices”, and 3) “Online Security Tips”.
The guidance provides tips to help plan sponsors and fiduciaries meet their responsibilities under ERISA by making informed decisions in choosing and monitoring the service providers they rely on to maintain and store plan data and records.
Tips for Hiring a Service Provider
The DOL’s Guidance establishes the minimum standards plan fiduciaries should meet in regard to the hiring of service providers. It is recommended that plan fiduciaries immediately review provider hiring practices and current contracts to ensure they meet the standards outlined below.
Request copies of the provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
Check if and how the provider validates its information security practices.
Investigate the provider’s track record, including litigation and legal incidents.
Ask whether the service provider has experienced past security breaches, what happened, and how they responded.
Ascertain if the provider has insurance policies that cover cybersecurity-related breaches and losses.
When entering a contract with a provider, ensure it requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for cybersecurity breaches.
Cybersecurity program best practices
The Guidance advises plan sponsors and fiduciaries to ensure that the service providers they hire have a formal, well-documented cybersecurity program in place. This should include business continuity, disaster recovery, and incident response. Plans’ service providers should also:
Conduct annual risk assessments and third-party audits.
Clearly define and assign information security roles and responsibilities.
Require strong access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
Perform cybersecurity awareness training.
Implement and manage a secure system development life cycle (SDLC) program.
Require encryption of sensitive data, both stored and in transit.
Require strong technical controls in accordance with best security practices.
Respond appropriately to any past cybersecurity incidents.
Online security tips
The Guidance recommends the following simple precautions to reduce risk:
Register, set up, and routinely monitor your online account and keep contact info current.
Use complex and unique passwords.
Use multi-factor authentication.
Close and delete unused accounts.
Beware of accessing accounts through public Wi-Fi.
Beware of email and telephone phishing attacks.
Use anti-virus software.
Report identity theft and cybersecurity incidents to the FBI and Department of Homeland Security via the following links:
As cybersecurity continues to be of critical importance, plan administrators and fiduciaries would do well to follow DOL’s guidance and tips to protect them from both internal and external threats.