BY JOHN IEKEL
The Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued guidance April 14 on maintaining cybersecurity, including tips on protecting retirement benefits. The guidance has a wide target audience—the DOL intends it for plan sponsors, plan fiduciaries, record keepers, plan participants and beneficiaries.
EBSA notes that it estimates that by 2018, there were 34 million participants in private-sector pension plans and 106 million participants in defined contribution plans, and that their combined assets totaled about $9.3 trillion. “Without sufficient protections,” says the DOL “these participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.” EBSA has issued regulations on electronic records and disclosures to plan participants and beneficiaries, but this is the first time it has issued specific cybersecurity guidance.
The guidance comes in three forms: cybersecurity program best practices for recordkeepers and other service providers, tips for plan sponsors on selecting a service provider, and general online security tips.
Cybersecurity Program Best Practices
EBSA suggests best practices for recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries in choosing service providers. EBSA argues that service providers should:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle program.
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Tips for Hiring a Service Provider
The DOL offers the following tips in order to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers.
1. Ask the service provider:
- about their information security standards, practices and policies, and audit results;
- how it validates its practices;
- what levels of security standards it has met and implemented; and
- whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
2. Look for:
- service providers that follow a recognized standard for information security and use an outside auditor to review and validate cybersecurity; and
- contract provisions that give you the right to review audit results demonstrating compliance with security standards.
3. Compare the service provider’s standards to those other financial institutions follow.
4. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to its services.
5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
6. Make sure that a contract with a service provider requires ongoing compliance with cybersecurity and information security standards Try to include in the contract terms that would enhance cybersecurity protection such as those concerning the following.
- Information Security Reporting. Require the service provider to obtain a third-party audit annually to determine compliance with information security policies and procedures.
- Clear Provisions on the Use and Sharing of Information and Confidentiality. Spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse.
- Notification of Cybersecurity Breaches. Identify how quickly the service provider will provide notification of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address its cause.
- Compliance with Laws Concerning Records Retention and Destruction, Privacy and Information Security. Specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.
- Insurance. Consider requiring insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.
General Online Security Tips
EBSA suggests that the following practices can reduce the risk of fraud and loss to retirement accounts, not only for plan sponsors but also for plan participants.
- Register, set up and routinely monitor online accounts.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep personal contact information up to date.
- Close or delete unused accounts.
- Be wary of free wifi.
- Beware of phishing attacks.
- Use antivirus software and keep apps and software current.
- Know how to report identity theft and cybersecurity incidents.
Acting Assistant Secretary for Employee Benefits Security Ali Khawar in a press release hailed the guidance as “an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information.” said. Khawar added that “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime.”
CYBERSECURITY IS IMPORTANT TO YOU…IT’S IMPORTANT TO US TOO
As you know cyberattacks are on the rise and no one is immune. That is why it’s vital to understand what the service providers you choose to do business with are doing to address threats to you and your employees.
With TRA’s comprehensive cybersecurity strategy and protocols we continuously monitor for attacks and vulnerabilities to protect your data and give you comfort when doing business with us.
- Security Architecture – aligned with industry best practices to identify, block, and respond to threats
- Security Awareness – an employee culture focused on cybersecurity
- Security Training & Testing – to prevent social engineering and manipulation of our employees
- Security Verification – continuous monitoring, ethical hacking and security and software updates to reduce risk