Recently, the Government Accountability Office urged the U.S. Department of Labor to issue cybersecurity guidelines to mitigate the risks of 401 (k) and other retirement plans. The GAO noted that there were trillions of dollars in employer-sponsored defined contribution retirement plans and that the DOL had not clarified whether the plan’s trustees have any responsibility for cybersecurity issues. On April 14, the DOL confirmed that employees ’benefit plan trustees have an obligation to manage the cybersecurity risks of employer-sponsored plans.
In issuing this guidance, the DOL acknowledged that plan trustees have a duty to mitigate cybersecurity risks. Without sufficient protections, the 34 million participants in private pension plans and 106 million participants in defined contribution plans covering $ 9.3 trillion in assets could be at risk from cybersecurity threats. Accordingly, ERISA requires plan trustees to take appropriate precautions to mitigate risk. The DOL cybersecurity guidelines were published in three parts:
- Tips for hiring a service provider with strong cybersecurity practices, which provides guidance for planning trustees in hiring service providers;
- Good practices from the cybersecurity program, which provides best practices for accountants and other service providers; i
- Online Security Tips, which provides advice to plan participants and beneficiaries who check and manage their accounts online.
This guide was published in the form of “tips” with some suggested “best practices” primarily for considering plan trustees, rather than setting out the steps or steps needed to take plan trustees. However, the tips for hiring a service provider and the best practices of the cybersecurity program are detailed enough that it would not be surprising for the DOL to begin to consider these steps as the minimum expectations for plan trustees to meet their requirements. cybersecurity risk management obligations.
It is worth noting that the GAO urged the DOL to publish guidelines regarding retirement plans and cybersecurity considerations in light of the trillions of assets that remain in those plans. The DOL guidelines are similarly oriented to retirement plans, in particular the Boards for Hiring a Service Provider Document, although they are aimed at plan sponsors and trustees regulated by the Employee Retirement Income Security Act ( ERISA). While this guidance may not explicitly refer to employer-sponsored plans other than retirement plans governed by ERISA, plan trustees should consider advice and best practices for other plans, to the extent that is applicable. This is particularly true for other ERISA-governed plans, such as health and welfare plans, because the same fiduciary responsibilities applicable to retirement plans would also apply to health and welfare plans.
Tips for hiring a service provider
Retirement plan sponsors are no strangers to hiring service providers to work with their retirement plans and are consequently familiar with the requirement to ensure a prudent process for selecting and monitoring these providers. of services. These guidelines now explore cybersecurity considerations in the issues to consider when selecting service providers.
The DOL provides suggested questions for potential service providers to measure the cybersecurity practices of that service provider. This includes asking the service provider about their information security standards, policies, and audit results, how they validate their practices, what levels of security standards they have met and implemented, and past security breaches. Responses should be considered against other potential service providers, industry standards, and service providers’ backgrounds.
Beyond the questions, the DOL guide suggests careful attention to the service contract. According to this DOL guide, service contracts should, among other things:
- Require the service provider to obtain third-party audits annually;
- Identify how quickly a service provider must inform trustees of the breach plan; i
- Specify the service provider’s obligation to comply with applicable federal, state, and local laws regarding privacy, confidentiality, or security or the participant’s personal information.
Good practices of the cybersecurity program
The DOL has identified a 12-point good practice system for use by plan-related computer system registrars and for use by plan trustees in making prudent decisions about cybersecurity measures. In summary, the 12 points identified by the DOL are:
- Have a formal and well-documented cybersecurity program. This includes a system for identifying risks, protecting assets, data, and systems, detecting and responding to cybersecurity events, recovering from the event, disclosing (as appropriate) and restoring normal operations and services. This program should be approved by senior management, reviewed internally at least annually, and should be reviewed by a third-party independent auditor to assess compliance and threats.
- Create a prudent and annual risk assessment program. An effective and manageable risk assessment schedule should be established to identify and assess cybersecurity risks and to describe how the program will mitigate the identified risks. This program should be updated to take into account changes in information systems, service providers, or other changes in business operations.
- Perform an annual third-party audit of security controls. In addition to the internal measures taken, an independent external auditor should evaluate the security controls annually. If the auditor’s report identifies any weaknesses, the plan trustee should also document the correction of the identified weaknesses.
- Clearly define and assign information security roles and responsibilities. Related to the first and second points, a prudent system for managing cybersecurity risks should clearly identify who is responsible for each aspect of the program. The DOL specifically provides that a cybersecurity program must be managed at the top executive level and then executed by qualified personnel. The Head of Information Security (CISO) would generally be a suitable person to establish and maintain the program.
- Ensure strong access control procedures. A sound procedure should be established to ensure that users are what they claim to be and that only approved users can access IT systems and data. This would require an appropriate system of authentication and authorization.
- Evaluate the use of cloud computing by third-party service providers. The cloud service provider’s security programs and features must be evaluated as part of the decision to interact with that service provider. This would include requiring an external service provider risk assessment, periodically assessing the service provider, and ensuring that the guidelines of any security program are met. The tips for hiring a service provider, discussed above, would apply to cloud service providers.
- Conduct annual cybersecurity awareness training. A strong procedure should address the risks at each level, including that of employees. Accordingly, the DOL suggests conducting an annual cybersecurity awareness to educate everyone to recognize attacks, help prevent incidents, and protect themselves from ID theft.
- Implement a secure systems development lifecycle (SDLC) program. A secure SDLC program ensures that security assurance activities, such as code review, are an integral part of the system development process.
- Implement a business resilience program to address business continuity, disaster recovery, and incident response. Enterprise resilience is the ability to adapt quickly to disruptions, while maintaining ongoing business operations and protecting people, assets, and data. The DOL proposes to create a business continuity plan, a disaster recovery plan and an incident response plan.
- Encrypt sensitive data. A cybersecurity system should implement current and prudent standards for the encryption data that is stored and for the data that is transmitted.
- Implement strong technical controls to implement best security practices. Technical security controls should be implemented to keep hardware, software, and firmware up to date, to perform routine data backups, and to ensure routine patch management.
- Be sensitive to cybersecurity incidents or breaches. Ensure that appropriate measures are taken to protect the plan and plan participants in the event of an incident or breach of cybersecurity. This action may include law enforcement information, notification by insurers, investigation of the incident, and resolution of the problem or weakness that caused the violation.
Online safety tips
The final component of the DOL guidance focuses on the steps and actions that plan participants and beneficiaries can take to mitigate potential cybersecurity risks. These tips include regularly checking your accounts, using secure passwords with multifactor authentication, updating personal contact information, and signing up for account activity alerts. As part of this advice, the DOL also provides people with some general considerations on best practices when accessing accounts or having an online presence in general, such as being aware of fishing attacks, l use of antivirus software and the need to update and maintain current applications and software.
Advance with the DOL orientation
Cybersecurity has been a growing concern in general as processes and platforms have increasingly shifted to remote or electronic vendors. Given this landscape of e-services and the recent guidelines of the DOL, plan trustees should review and analyze existing processes to address cybersecurity risks.
Plan trustees should also review their current service provider contracts and contracts, especially for any contracts that are planned for renewal or termination. The DOL guidelines need to be guided by the current practices of plan sponsors and plan trustees, and if there are gaps, some additional steps may be needed to ensure that plan trustees can meet all of their obligations when it comes to issues. cybersecurity.