On April 14, 2021, the U.S. Department of Labor announced new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, and plan participants. The guidance is specifically “directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act, and plan participants and beneficiaries” and is intended to mitigate cybersecurity risks to pension plans and contribution plans. While organizations with mature cybersecurity and vendor management programs may not find much of note within the standards, the Department of Labor announcement highlights the general importance of employee benefits data and the Department’s heightened attention to such standards. The guidance consists of three supplementary documents including: 1) “Tips for Hiring a Service Provider”, 2) “Cybersecurity Program Best Practices”, and 3) “Online Security Tips”.
The Department of Labor advises reviewing the service provider’s track record in the industry, any past record of cybersecurity incidents, and validating the service provider’s IT security practices and procedures. The Dept. of Labor also recommends “look[ing] for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.”
Additionally, the guidance recommends that service provider contracts should require ongoing cybersecurity compliance and plan sponsors and fiduciaries should “beware” of agreements that limit the service provider’s liability for “IT security breaches”. ERISA-covered plans should also try to include additional contractual terms, such as those requiring: an annual third-party audit to confirm compliance with cybersecurity policies and procedures, the service provider to maintain confidentiality and prevent use and disclosure of data without written permission, the service provider to notify the plan of any cybersecurity incidents, compliance with cybersecurity laws, and insurance which may include coverage for professional liability, breach, and fidelity bond/blanket crime.
The Department of Labor’s Cybersecurity Program Best Practices guidance lists 12 best practices for ERISA-covered plan service providers:
1) Have a formal, well documented cybersecurity program.
2) Conduct prudent annual risk assessments.
3) Have a reliable annual third party audit of security controls.
4) Clearly define and assign information security roles and responsibilities.
5) Have strong access control procedures.
6) Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
7) Conduct periodic cybersecurity awareness training.
8) Implement and manage a secure system development life cycle (SDLC) program.
9) Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10) Encrypt sensitive data, stored and in transit.
11) Implement strong technical controls in accordance with best security practices, and
12) Appropriately respond to cybersecurity incidents.
The Department of Labor also provides “security tips” for plan participants and beneficiaries. These include advising plan participants and beneficiaries to monitor their online accounts, use strong passwords, use multi-factor authentication, keep personal contact information current, close or delete unused accounts, avoid free Wi-Fi networks, beware of phishing emails or similar attacks, use antivirus software, and keep applications current. The “security tips” also indicate two avenues for reporting identity theft and cybersecurity incidents: