The U.S. Department of Labor’s (DOL’s) Employee Benefits Security Administration (EBSA) on April 14, 2021 issued its first guidance on best practices for maintaining cybersecurity to protect the retirement benefits of employees under the Employee Retirement Income Security Act of 1974 (ERISA) for private sector employer-sponsored retirement plans.
ERISA was established to protect plan participants and their beneficiaries. However, with the continually changing landscape in the IT environment and increased internet usage in retirement plan administration, risks have surfaced that leave retirement plans vulnerable to cyber-attacks. Many plan sponsors outsource plan administration to third-party service providers which often includes record keeping. This can create a risk of cyber crooks gaining unauthorized access to participant accounts and their personal information.
The DOL’s Cybersecurity Guidance is broken down into three forms: https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices
- Cybersecurity Program Best Practices
- Online Security Tips
Tips for Hiring a Service Provider with Strong Cybersecurity Practices:
- Ask about the service provider’s information security standards, practices, policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity;
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard;
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services;
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded;
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account);
- When contracting with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the plan and its participants.
Cybersecurity Program Best Practices:
- Have a formal, well documented cybersecurity program;
- Conduct prudent annual risk assessments;
- Have a reliable annual third-party audit of security controls;
- Clearly define and assign information security roles and responsibilities;
- Have strong access control procedures;
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
- Conduct periodic cybersecurity awareness training;
- Implement and manage a secure system development life cycle (SDLC) program;
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- Encrypt sensitive data, stored and in transit;
- Implement strong technical controls in accordance with best security practices;
- Appropriately respond to any past cybersecurity incidents.
Online Security Tips:
- Register, set up and routinely monitor your online account;
- Use strong and unique passwords;
- Use multi-factor authentication;
- Keep personal contact information current;
- Close or delete unused accounts;
- Be wary of free Wi-Fi;
- Beware of phishing attacks;
- Use antivirus software and keep apps and software current;
- Know how to report identity theft and cyber security incidents.
The cybersecurity guidance issued by the DOL is an important step in helping plan sponsors, fiduciaries, and plan service providers to safeguard retirement benefits and personal information. We anticipate that in due time, the DOL may issue additional guidance or potentially standards and requirements to combat cybercrime as this has been on the U.S. Government’s Accountability Office’s (GAO) agenda.
Shavell & Company is well-versed in conducting full scope and limited scope Employee Benefit Plan Audits. In fact, our team’s level of knowledge and experience in Employee Benefit Plan Audits spans almost 70 years. As a member of the AICPA’s Employee Benefit Plan Audit Quality Center, we help clients satisfy Department of Labor requirements.
Call on Shavell & Company for thorough and knowledgeable Employee Benefit Audit services. We’ll help you satisfy annual filing requirements while ensuring your readiness to cover employees’ future health and retirement needs. Contact us today!