Cyber-attacks are on the rise.
As you’re aware, plan sponsors, administrators, and service providers maintain electronic information that can be extremely vulnerable to cyber-attacks, including personally identifiable information (PII), participant enrollment data, and of course, electronically protected health information (EPHI). Responsible plan fiduciaries must safeguard against cybersecurity risks, but not everyone is prepared. This year, The Department of Labor (DOL) issued a new cybersecurity guidance package and has already begun including this in its enforcement efforts. Ask yourself this important question: does your team have internal cybersecurity policies that already meet updated standards? If not, it’s time to draft new policies or risk falling behind and falling victim to an attack.
What prompted this action?
Earlier this year, the Government Accountability Office (GAO) released cybersecurity issues and risk findings. The GAO issued an urgent recommendation that the DOL affirmatively state whether cybersecurity is a fiduciary obligation and provide guidance for plan sponsors and service providers regarding mitigation of this cybersecurity risk. In response, the DOL issued a three-part cybersecurity guidance package containing:
Best Practices.
The first document, Cybersecurity Program Best Practices supports information technology security protocols for Employee Retirement Income Security Act (ERISA)-covered benefit plans. The memo outlines 12 points for cybersecurity risk mitigation, including conducting cybersecurity risk assessments on at least an annual basis and conducting third-party audits of system security controls. In regards to conducting a third-party audit, EBSA indicated that if it were to review an audit program it would expect to see evidence of audit reports, penetration test reports, and documented corrections of any identified weaknesses. The document also calls for a plan sponsor’s cybersecurity program to be managed at the executive level, and annual cybersecurity awareness training. EBSA further instructs plan sponsors and fiduciaries to utilize a secure system development life cycle program (SDLC) to ensure that new systems are designed to prioritize cybersecurity considerations. For example, EBSA suggests certain events (like when a participant wants to change their account information) should automatically trigger two-factor authentication or other additional protocols.
Tips for Hiring Service Providers.
The second document, Tips for Hiring a Service Provider With Strong Cybersecurity Practices, is aimed at helping plan sponsors and fiduciaries protect their cybersecurity interests when working with a third party. In this guidance, EBSA lists six core points that plan sponsors and fiduciaries should follow in order to meet their responsibilities under ERISA. EBSA suggests asking potential service providers whether they have cybersecurity insurance coverage and reviewing public information regarding the provider’s cybersecurity track record and potential liabilities. Entering into a new contract? Time to read the fine print. Plan sponsors should carefully review the contract, ensuring it includes protections addressing access control policies, encryption policies, and a cyber threat notification procedure. Finally, EBSA recommends that service provider contracts include a clause requiring ongoing compliance with evolving cybersecurity information and standards.
A Model Notice offering Cybersecurity for Participants.
The third piece of guidance, Online Security Tips, is directed at participants and provides a list of best practices to reduce the risk of fraud and cybersecurity threats to retirement accounts. This guidance provides best practices for maintaining a secure online presence, such as using multi-factor authentication where possible, changing passwords regularly, and avoiding public Wi-Fi.
Since releasing this guidance, the DOL began ramping up its cybersecurity audit protocols by contacting plan sponsors and fiduciaries and inquiring as to their cybersecurity practices.
This means it’s a good idea to be prepared to produce cybersecurity and data privacy policies, information, and documentation related to past incidents, and risk assessment reports. Whether or not it’s been a priority in the past, cybersecurity considerations should become part of your regular administrative process. Please note that this DOL guidance likely applies to all plans governed by ERISA, not just retirement plans. To stay protected and prepared, a cybersecurity review should also be performed for ERISA-covered health and welfare plans. If you have any questions about the new guidance, please reach out to our team of dedicated professionals.
Source: DOL, GAO, Benefits Pro, Security Magazine