Justin Bonk, CISSP, PCI-QSA, CIA, CFE, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
In April of 2021, the Department of Labor’s Employee Benefits Security Administration (EBSA) issued guidance for plan sponsors, plan fiduciaries, plan service providers, and plan participants on best practices for maintaining cybersecurity and protecting retirement plan assets. This guidance expanded on the earlier “Cybersecurity Considerations for Employee Benefits Plans” report put out by the Employee Retirement Income Security Act (ERISA) Advisory Council in 2016.
The guidance addressed three specific components; tips for hiring an employee benefit plan service provider with strong cybersecurity practices, online security tips to reduce the risk of fraud and loss, and Cybersecurity Program Best Practices, which outlines twelve best practices the Department of Labor suggests for use by recordkeepers and other service providers responsible for plan-related IT systems and data.
Twelve Benefit Plan Cybersecurity Best Practices
In brief, key components of each of the best practices include the following:
1.) Have a formal, well documented Benefit Plan Cybersecurity Program
The plan should have a formally document cybersecurity program including strong security policies, procedures, guidelines, and standards that are approved by senior leadership, reviewed at least annually, and aligned with a particular framework or frameworks. The Best Practice also recommends eighteen areas to consider addressing in a formal policy, including data governance and classification, data disposal, and data privacy, amongst others.
2.) Prudent Annual Risk Assessment
The plan should implement a risk assessment process to identify, estimate and prioritize information system risks. This process should identify, assess, and document how identified cybersecurity risks or threats are evaluated and categorized, and should clearly document the scope, methodology and frequency of the process. The assessment should describe how the cybersecurity program will mitigate risks, and how the plan is revised in light of changes to the plan’s IT environment.
3.) A Reliable Annual Third Party Audit of Security Controls
The DOL recommends an independent auditor assess the plan’s security controls to provide a clear, unbiased report on existing risks, vulnerabilities and weaknesses. The DOL elaborates that their expectation of output from such a review to include items as audit reports, penetration test reports, or ‘any other analysis or review of the plan’s cybersecurity practices by a third party.'
4.) Clearly Defined and Assigned Information Security Roles and Responsibilities
The plan’s cybersecurity program should be managed at the senior executive level and executed by qualified personnel. Best practices define qualified personnel to meet the criteria of having sufficient experience and necessary certifications, undergoing initial and periodic background checks, receiving regular updates and training, and knowledgeable on current and changing cybersecurity threats and countermeasures.
5.) Strong Access Controls
This Best Practice addresses the critical components of authentication and authorization when it comes to accessing plan data. Key concepts outlined in the Best Practice include limiting access to authorized users based on the role of the individual in accordance with the principle of need-to-know. The best practice further recommends unique, complex passwords and multi-factor authentication.
6.) Assets or Data Stored in a Cloud or Managed by a Third Party Service Provider are Subject to Appropriate Security Reviews and Independent Security Assessments
It’s a common practice to utilize a third party for services that expose them to your sensitive data. This may include a cloud provider such as AWS, Azure or Google Cloud Suite. To address this third party risk, this best practice suggests requiring a risk assessment of third party service providers, defining minimum cybersecurity practices for third party service providers, periodically assessing third party service providers based on potential risks, and ensuring the existence of contractual protections when third parties are utilized.
7.) Cybersecurity Awareness Training Conducted at Least Annually for All Personnel and Updated to Reflect Risks Identified by the Most Recent Risk Assessment
Even the most secure environment can be compromised by someone clicking a phishing link. Given the use of identity theft by bad actors to obtain fraudulent distributions, the DOL places a high degree of focus on training individuals to identify and thwart off social engineering attempts as part of the broader cybersecurity awareness training. As new risks are introduced into an organization the plan should be updated.
8.) Secure System Development Life Cycle Program (SDLC)
If your plan develops its own applications, this Best Practice provides guidance on processes to put in place around the System Development Life Cycle (SDLC). The DOL outlines two areas of focus – implementing processes to alert the plan when a change to account information is made, particularly before a distribution, and a process for testing and validating the security of a developed application, including reviews, vulnerability scans and penetration testing.
9.) A Business Resiliency Program which Effectively Addresses Business Continuity, Disaster Recovery, and Incident Response.
DOL provides clarity on business resiliency, specifying the need for a Business Continuity Plan, Disaster Recovery Plan (often seen together as a BCP/DR), and an incident response plan. The Best Practice provides information on what to include in each plan, and how often each plan should be tested.
10.) Encryption of Sensitive Data Stored and in Transit
Encryption of data both while at rest and in motion is a key component of any cybersecurity program. This best Practice outlines that system should implement encryption processes to ensure the security and integrity of plan data, and ensure management of encryption keys is controlled.
11.) Strong Technical Controls Implementing Best Security Practices
The DOL outlines multiple technical controls to consider when securing a plan’s system, including firewalls, antivirus, network segmentation, system hardening processes, and automated backup and patch management processes.
12.) Responsiveness to Cybersecurity Incidents or Breaches
The DOL outlines breach and incident response parameters including informing law enforcement, insurers where appropriate, and affected plan participants. Breaches or incidents should be thoroughly investigated and the weakness that resulted in the event should be mitigated immediately.
Each plan is different, and there’s no one-size-fits-all solution to meeting the Benefit Plan Cybersecurity Best Practices. The DOL acknowledges that plans likely may not have the cybersecurity expertise in-house. In those cases, plans should consult with cybersecurity service providers on how to best align their processes and procedures with the twelve best practices to adequately address the cybersecurity related risks facing the plan.
The Freed Maxick Cybersecurity & IT Services Team can review any of your organizations’ Cybersecurity processes and provide you with the trusted guidance necessary to improve your processes. Our team stands ready to be your trusted partner. If you would like to schedule a cybersecurity assessment discussion, please reach out to one of our experts by filling our the form below or calling 716.847.2651.