In April, the Department of Labor’s Employee Benefits Security Administration (“DSA”) (“DOL”), for the first time, issued sub-regulatory guidelines aimed directly at sponsors of employee benefit plans. ERISA, ERISA plan trustees, accountants and plan participants targeting cybersecurity practices. Although the release of EBSA announcing the guide draws particular attention to ERISA retirement plans, which contain estimated $ 9.3 trillion plan assets, there is nothing in the guide to limit the application. from the guide to ERISA retirement plans alone. Not only do the billions of dollars in plan assets deserve greater protection against cybersecurity risks, participants ’personal information (names, dates of birth, Social Security numbers, etc.) also needs protection from threats of cybersecurity. ‘unauthorized access. Consequently, ERISA social assistance plans would be well served by also implementing the relevant cybersecurity practices described in the new guidance.
EBSA’s cybersecurity guidelines take the form of three separately published documents:
• Tips for Hiring a Service Provider, which provides plan sponsors and trustees with tips for carefully selecting and supervising service providers with strong cybersecurity practices.
• Best Practices of the Cybersecurity Program, which helps trustees and plan registrars fulfill their responsibilities for managing cybersecurity risks.
• Online Security Tips, which provides plan participants and beneficiaries with tips on how they can reduce the risk of fraud and loss in their retirement account when checking their retirement accounts online.
Although the DOL, through EBSA or otherwise, has not previously provided specific cybersecurity guidance for ERISA employee benefit plans, there have been growing indirect indicators of the DOL’s growing concerns about threats to cybersecurity to assets and personal information of the plan. Plan trustees have an obligation to ensure adequate mitigation of cybersecurity risks. The new guidelines not only provide useful information on what practices and procedures EBSA would consider important for prudently mitigating cybersecurity risks, but also suggest rules for cybersecurity practices that we might expect EBSA to look for in future audits and investigations.
The broader focus on cybersecurity belongs not only to the plan sponsor’s internal administrative procedures, but also to the cybersecurity practices and procedures of registrars and other service providers selected by plan sponsors to support ERISA plan operations. . Do plan sponsors ask registrars and service providers appropriate questions about their information security standards, practices, and policies and do they incorporate appropriate protections into service agreements? The new guidance provides suggested question lines that plan sponsors of all sizes should do as part of the process of selecting and monitoring their service providers.
Best practices for plan service providers should include:
- Have a formal and well-documented cybersecurity program.
- Carrying out prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Definition and assignment of information security functions and responsibilities clearly.
- Have strong access control procedures.
- Ensure that resources or data stored in a cloud or managed by an external service provider are subject to appropriate security reviews and independent security assessments.
- Carrying out regular cybersecurity awareness training.
- Implementation and management of a secure systems development lifecycle program (“SDLC”).
- Have an effective business resilience program that addresses business continuity, disaster recovery and incident response.
- Encryption of sensitive data, stored and in transit.
- Implementation of strong technical controls in accordance with best safety practices.
- Respond appropriately to any past cybersecurity incidents.
The fact that the new EBSA guide includes online safety tips for plan participants reflects the recognition that participants have their own role to play in reducing the risk of fraud and loss with respect to their individual retirement accounts. Plan sponsors should consider the possibility of these online safety tips being part of the standard enrollment and communication packages for plans aimed at participants.
In light of the new guidance, plan sponsors should be looking to develop appropriate internal cybersecurity practices and policies (including procurement practices and policies for new plan service providers) or update any of the practices and policies. already existing. For existing service providers, it is advisable to review the cybersecurity practices, policies and contractual responsibilities of providers (ie the provisions of service agreements), as well as the development of appropriate mechanisms to control cybersecurity practices in the future.