Historically, the U.S. Department of Labor (DOL) has been relatively quiet with respect to fiduciaries’ responsibilities to protect ERISA-covered benefit plan data. There was little guidance on responsibilities for protecting computers against outside attackers and analyzing data security practices of third-party service providers. However, this changed in April 2021 when the DOL issued new guidance for addressing cybersecurity risks associated with benefit plans.
Why the change?
In addition to millions of dollars in assets, ERISA-covered plans contain pertinent personal data on participants. While assets taken from a pension plan can be quantified, the value of stolen data is effectively unknown.
Without coverage options for theft of participant data (such as that for plan assets), adopting strong cybersecurity practices and oversight of third-party providers helps reduce an organization’s exposure to cybersecurity events.
Best practices from the Employee Benefits Security Administration:
The DOL guidance states that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. In addition, the agency has provided guidance and best practices for recordkeepers, other service providers responsible for plan-related IT systems and data, and plan fiduciaries making prudent decisions about service providers they hire.
The Employee Benefits Security Administration (EBSA) has outlined 12 best practices for service providers to reduce cybersecurity risks associated with employee benefit plans. While some of these practices should be shared by fiduciaries and service providers, others are specific to service providers.
Shared responsibilities:
- Have a formal, well-documented cybersecurity program: A well-designed program protects the infrastructure, information systems, and the information in the systems from unauthorized access, use, or other malicious acts and establishes strong security policies, procedures, guidelines, and standards for the organization to follow.
- Have a reliable annual third-party audit of security controls: Service providers should conduct an independent assessment of the organization’s security controls and report on existing risks, vulnerabilities, and weaknesses. The fiduciary should request audit reports from their service provider, including SOC examinations and penetration-testing summaries.
- Clearly define and assign information security roles and responsibilities: Assign information security responsibilities to an appropriate leader in the organization with sufficient experience and knowledge to establish and maintain the vision, strategy, and operation of the cybersecurity program.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments: Fiduciaries should review security plans and procedures with service providers, hosted in the cloud or with a third party, to ensure appropriate controls are in place for protecting plan data.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response: Review and update the business continuity, disaster recovery, and incident response plans to account for the organization’s current operational and technology environment.
- Conduct periodic cybersecurity awareness training: Ensure cyber awareness training programs are updated annually to reflect risks identified by the most recent risk assessment and include individuals that interact with participant data.
- Encrypt sensitive data when stored and in transit: Ensure the proper protection of plan data through strong encryption standards. Data encryption can protect nonpublic information to safeguard the confidentiality and integrity of the data at rest or in transit.
Service provider responsibilities:
- Conduct prudent annual risk assessments: As outlined by the guidance, a risk assessment should identify threats, establish and review controls, mitigate remaining risks, and be monitored and updated annually.
- Have strong access control procedures: Review privilege access to related IT systems and ensure access is limited based on the principle of least-privilege. Deploy multifactor authentication to related IT systems whenever possible.
- Implement and manage a secure system development life cycle (SDLC) program: Ensure procedures, guidelines, and standards for developing in-house applications are secure. This may include activities such as penetration testing, code review, and architecture analysis.
- Implement strong technical controls in accordance with best security practices: Deploy and secure information systems that interact with plan data, including routine security updates and system hardening standards.
- Appropriately respond to any past cybersecurity incidents: Review ability and effectiveness of responding to a cybersecurity incident or breach. In addition, review contracts to ensure data breach notification responsibilities are defined and processes exist for meeting obligations.
It’s important to note that both fiduciaries over plan assets and benefit plan service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure. To learn more about addressing cybersecurity risks associated with benefit plans, contact a member of our cybersecurity team.