Employers that sponsor employee benefit plans under the Employee Retirement Income Security Act (ERISA) face many challenges. Not the least of these is cybersecurity.
In an effort to help, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) recently issued guidance identifying best practices to mitigate cybersecurity risks in the administration of ERISA-covered plans. The guidance, which comes in the form of three documents, also offers advice on hiring retirement plan service providers and online security tips for retirement plan participants.
An accompanying news release indicates that this is the first time the EBSA has issued cybersecurity guidance. Here are some highlights.
The first document, entitled “Cybersecurity Program Best Practices,” is geared toward plan fiduciaries and recordkeepers. It identifies 12 best practices and then elaborates on each.
Key practices include having a formal and well-documented cybersecurity program that’s informed by annual risk assessments and third-party audits of security controls. Emphasis is placed on clearly defined roles and responsibilities and strong access and technical controls — including encryption — combined with workforce training at least annually.
Periodic security evaluations and testing should be integral parts of a system development life cycle program for plan-related software. The cybersecurity practices need to address resiliency to business disruptions and promote continuity, disaster recovery and incident response. When a security incident or breach occurs, appropriate actions must be taken to protect the plan and its participants. (Some specific actions are listed.)
The second document, entitled “Tips for Hiring a Service Provider With Strong Cybersecurity Practices,” identifies six considerations to help plan sponsors and fiduciaries prudently select and monitor service providers.
Tips include asking service providers about their security standards and practices — including how their practices have been implemented and validated (such as through audit results). Fiduciaries should also investigate service providers’ history by researching public records and asking providers about their security breach experiences and responses.
Cybersecurity and identity-theft insurance is important, too. Contracts with service providers should document cybersecurity protections and obligations, such as breach notification, limitations on use and disclosure of private information, and records retention.
Online security tips
The third document, entitled “Online Security Tips,” is directed at retirement plan participants. It suggests basic rules to reduce the risk of fraud and loss. Tips include:
- Regularly monitoring accounts,
- Using strong and unique passwords,
- Activating multifactor authentication,
- Updating contact information,
- Deleting unused accounts,
- Being wary of free Wi-Fi, and
- Watching out for phishing attacks.
The guidance also urges participants to use antivirus software and keep it updated. (Plan sponsors should do the same.)
For links to the documents, check out the news release here. Although this is the EBSA’s first guidance on cybersecurity, the documents incorporate familiar concepts from the HIPAA security and business associate standards, and the NIST cybersecurity framework. Nonetheless, it’s helpful to see the concepts and standards articulated and applied in an ERISA context. Our firm can help you evaluate the risks and cost-effectiveness of your employee benefit plans.