EBSA: Cybersecurity Program Best Practices; Tips for Hiring a Service Provider With Strong Cybersecurity Practices; Online Security Tips; News Release (Apr. 14, 2021)
The DOL’s Employee Benefits Security Administration (EBSA) has issued guidance identifying “best practices” to mitigate cybersecurity risks in the administration of ERISA-covered plans, along with advice on hiring retirement plan service providers and online security tips for retirement plan participants. A news release indicates that this is the first time EBSA has issued cybersecurity guidance. Here are highlights:
Best Practices. This document, geared toward plan fiduciaries and recordkeepers, identifies 12 best practices and then elaborates on each. Key practices include having a formal and well-documented cybersecurity program that is informed by annual risk assessments and third-party audits of security controls. Emphasis is placed on clearly defined roles and responsibilities and strong access and technical controls—including encryption—combined with workforce training at least annually. Periodic security evaluations and testing should be integral parts of a system development life cycle program for plan-related software. The cybersecurity practices should address resiliency to business disruptions and promote continuity, disaster recovery, and incident response. When a security incident or breach occurs, appropriate actions should be taken to protect the plan and its participants; some specific actions are listed.
Hiring Tips. This document identifies six cybersecurity considerations to help plan sponsors and fiduciaries prudently select and monitor service providers. Tips include asking service providers about their security standards and practices—including how their practices have been implemented and validated—and any audit results. Fiduciaries should also investigate service providers’ track records by researching public records and asking service providers about their security breach experiences and responses. Cybersecurity and identity-theft insurance is also important, and contracts with service providers should document cybersecurity protections and obligations, such as breach notification, limitations on use and disclosure of private information, and record retention.
Online Security Tips. This document, directed to retirement plan participants, suggests basic rules to reduce the risk of fraud and loss. Tips include regularly monitoring accounts, using strong and unique passwords, activating multi-factor authentication, updating contact information, deleting unused accounts, being wary of free Wi-Fi, watching for phishing attacks, using antivirus software, and keeping software updated.
EBIA Comment: Although this is EBSA’s first guidance on cybersecurity, the documents incorporate familiar concepts from the HIPAA security and business associate standards and the NIST cybersecurity framework, and it is helpful for EBSA to articulate and apply them specifically in the ERISA context. This guidance may have been influenced by a recent Government Accountability Office report, which warns of cybersecurity risks and recommends that the DOL establish minimum expectations for mitigating cybersecurity risks. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.J (“Due Diligence in Hiring Business Associates”) and XXIX (“Security Requirements: General Concepts”). See also EBIA’s 401(k) Plans manual at Sections XII.L (“Account Theft and Cybersecurity”) and XXIV.G.2 (“Selecting and Monitoring Service Providers”), and EBIA’s ERISA Compliance manual at Section XXVIII (“Fiduciary Duties Under ERISA”).
Contributing Editors: EBIA Staff.