On April 14, 2021, the United States Department of Labor (DOL) announced new cybersecurity guidance (the Guidance) for pension plan sponsors, plan fiduciaries, record keepers and plan participants, that outlines best practices for maintaining cybersecurity. The Guidance is directed toward plan sponsors regulated under the Employee Retirement Income Security Act of 1974 (ERISA), plan participants and beneficiaries.
The Guidance comes in three prongs, all with specific intentions and best practices: (1) Tips for Hiring a Service Provider; (2) Cyber Security Program Best Practices; and (3) Online Security Tips.
Tips for Hiring a Service Provider
The “Tips for Hiring a Service Provider” prong is intended to help plan sponsors and fiduciaries prudently select a service provider that has strong cybersecurity practices and monitors its own activity, as required under ERISA. The best practices encourage sponsors and fiduciaries to:
- Ask about the service provider’s information security standards, practices and policies, as well as their audit results, and how they validate these practices and at what level of security.
- Incorporate contract provisions that provide the right to review the service provider’s audit results and which require ongoing compliance with cybersecurity and information security standards.
- Evaluate, and ask about, publicly available information security incidents or breaches and other legal proceedings related to its services.
- Confirm if the service provider has cyber insurance to cover losses from a cybersecurity incident or breach.
- Ensure the contract with the service provider requires ongoing compliance with cyber security information security standards and to be wary of contractual provisions that limit the service provider’s responsibility for IT security breaches.
Cyber Security Program Best Practices
The “Cybersecurity Program Best Practices” prong is intended to assist plan fiduciaries and record-keepers to manage cybersecurity risks. While the list of recommendations is lengthy and detailed, below is a general overview of these practices:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure any data assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cyber security awareness training.
- Implement and manage a secure systems development lifecycle program.
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypt sensitive data, stored and in transit
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Online Security Tips
The “Online Security Tips” prong assists by providing basic rules for plan participants and beneficiaries to reduce risk of fraud or loss when checking their online retirement accounts. While these best practices are general across the board, it is still important to be aware of this component of the Guidance:
- Use strong and unique passwords.
- Use multifactor authentication.
- Keep personal contact information current.
- Close or delete unused accounts.
- Be wary of free wi-fi.
- Beware of phishing attacks.
- Use antivirus software and keep applications and software current.
- Know how to report identity theft and cybersecurity incidents.