On April 14, 2021, the U.S. Department of Labor (“DOL”), through its Employee Benefits Security Administration (“EBSA”), issued its first set of cybersecurity guidelines. for plan sponsors, plan trustees, record keepers, and plan participants. Given the increase in cybersecurity attacks on pension plans and the potential vulnerability of approximately $ 9.3 trillion in benefit plan assets (according to DOL’s estimate), EBSA’s cybersecurity guidelines they had waited impatiently and had lagged behind. In fact, in February 2021, the U.S. Government Accountability Office asked the DOL to issue minimum cybersecurity standards.
The EBSA guidelines are intended to complement the May 2020 regulations on electronic records and disclosures of DOL. Although the 2020 regulations allow pension plans to transmit selective plan documents electronically, this delivery generated a higher risk of cybersecurity attacks. While ERISA already requires plan sponsors to meet a high fiduciary standard to protect the benefits of participants and beneficiaries, the EBSA guidelines represent a vital step in helping sponsors, trustees, accountants, and plan participants. to safeguard pension benefits and personal information. It also indicates what the DOL will look for when auditing plans and service providers. Therefore, plan sponsors, trustees, and accountants should carefully review the guidelines and follow EBSA’s recommendations, including the elements of action detailed in this alert, to ensure that their cybersecurity programs meet good standards. EBSA internships.
Instead of a set of frequently asked questions or formal regulation, the EBSA guidelines consist of three “tip sheets,” two of which are aimed at plan sponsors, trustees, and accountants. service provider “and” Good Practice Cybersecurity Program “), and one of which is aimed at participants and beneficiaries of the retirement plan (” Online Security Tips “).
Although the guide only refers to information on pension plans and benefits, it also serves as a useful reference point for social security plans covered by ERISA, as these plans have not already established pension plans. compliance with the requirements for HIPAA and / or other state and / or federal data security laws.
Tips for sponsors, trustees and accountants of pension plans
Good cybersecurity practices
For pension plan sponsors, trustees and accountants, EBSA provides guidance on cybersecurity best practices in 12 areas of care. In summary, EBSA recommends:
- Have a formal and well-documented cybersecurity program detailing security policies, procedures, guidelines, and standards to protect the integrity and security of information;
- Carrying out annual risk assessments that identify, estimate and prioritize the risks of the information system;
- Have a reliable annual third-party audit of security controls to provide an unbiased report of existing risks, vulnerabilities and weaknesses;
- Clearly define and assign information security roles and responsibilities within the organization and ensure that someone on the staff is qualified to fulfill the role of an information security officer;
- Have strong access control procedures to verify the identity of users, limit access to specific information that users need, and regularly review access privileges;
- Ensure that assets or data, where applicable, stored in the cloud or managed by an external service provider, are subject to appropriate security reviews and independent security assessments;
- Conducting regular cybersecurity awareness training;
- Implementation and management of a secure systems development lifecycle program (“SDLC”) that integrates penetration testing, code review, and architecture analysis;
- Have an effective business resilience program that addresses business continuity, disaster recovery and incident response in the event of non-compliance to ensure that business operations are not disrupted and information is kept protected;
- Encrypt sensitive data (stored internally or externally, at rest or in transit) using encryption keys, message authentication and hash;
- Implement strong technical controls in accordance with best security practices, such as periodically updating hardware, software, and firmware, using firewalls and vendor-supported intrusion detection, implementing network segregation, and performing routine patch management; i
- Respond appropriately to any past cybersecurity incidents, including, among others, notification of the affected participant base and law enforcement (if applicable), and taking steps to mitigate the likelihood of it happening again.
Tips for hiring a service provider
When hiring and overseeing a service provider, EBSA recommends that plan sponsors, trustees, and accountants report on cybersecurity programs of potential service providers and how those programs are maintained. Sponsors, trustees and plan accountants should compare the cybersecurity programs of potential service providers with industry standards adopted by other financial institutions and should assess the background of potential service providers in the industry by reviewing public information on data security incidents and litigation. They should also ask potential service providers about whether they have experienced cybersecurity incidents and how these incidents were handled, as well as whether the potential service provider has an insurance policy in place to cover losses caused by cybersecurity breaches. (including losses caused by and external threats). Plan sponsors, trustees, and accountants should review service provider contracts to ensure that contracts require service providers to continuously comply with cybersecurity and information security standards (and to avoid contractual provisions that limit the responsibility of service providers in cybersecurity and information technology) (breaches). Finally, they should pay special attention to the contractual clauses related to confidentiality, use and sharing of information, notice by the provider of cybersecurity risk assessments and audit reports, breaches of cybersecurity and record keeping and destruction.
Tips for plan participants and beneficiaries
For plan participants and beneficiaries who have access to information about their online retirement benefit, EBSA recommends:
- Record, configure, and routinely monitor retirement accounts to ensure that no unauthorized changes have been made;
- Use multi-factor authentication (such as a unique code that is sent before you sign in) and a unique, secure password, which should be changed relatively frequently;
- Keep personal information, such as current cell phone numbers and email addresses, current and close or delete unused accounts;
- Avoid free Wi-Fi and other insecure Internet access;
- Know about fishing attacks and report any suspicious email before opening it;
- Use antivirus software and run the latest version of the applications; i
- Learn about resources on how to report identity theft and cybersecurity incidents.
Elements of action
To comply with EBSA guidelines, plan sponsors, trustees and accountants must:
- Consider conducting an internal audit to find out about existing cybersecurity programs and possible areas of weakness;
- Develop written policies and procedures to ensure that cybersecurity programs are clear and kept up to date;
- Clearly define and assign information security roles and responsibilities and have qualified personnel to fulfill the role of an information security officer;
- Train staff on how to detect possible cyberattacks, such as phishing, and use cybersecurity best practices;
- Review service provider contracts to ensure adequate contractual protections, such as requirements to conduct annual audits and promptly notify of any breaches of security;
- Carry out due diligence cybernetics with service providers, both at the time of the engagement and periodically thereafter;
- Respond promptly to any cybersecurity incident;
- Confirm that your current liability insurance coverage includes protection against cybersecurity or get specific protection from cybersecurity insurance coverage; i
- Consider preparing a communication from participants detailing EBSA’s cybersecurity security recommendations and informing participants about their responsibility to participate in the cybersecurity risk mitigation process.