In April, the Department of Labor (DOL) issued its first guidance on cybersecurity practices for ERISA retirement plans. The guidance, which was largely in response to a US Government Accountability Office report urging the DOL to issue cybersecurity recommendations, establishes the DOL’s minimum expectations for addressing cybersecurity risks.
The guidance was issued in three parts: (i) Cybersecurity Program Best Practices; (ii) Tips for Hiring a Service Provider with Strong Cybersecurity Practices; and (iii) Online Security Tips. While all three parts of the guidance include tips and best practices, plans must make sure their practices and procedures are memorialized.
The first two parts of the guidance intend to help plan sponsors manage cybersecurity risks, including how to prudently select service providers. The Cybersecurity Program Best Practices offers twelve action items that plan sponsors and plan service providers should do. This includes having a formal, well-documented cybersecurity program, conducting an annual risk assessment, and implementing strong controls to protect the data. The third piece provides tips for plan participants and beneficiaries to reduce the risk of loss, such as using unique passwords and multi-factor authentication.
Generally, when the DOL or other regulators issue guidance like this, we would not expect to see audit activity for at least a year or two. However, we are already aware of several investigations that the DOL has commenced regarding cybersecurity practices. We are reproducing requested documentation in one such investigation.
So what should plan sponsors do in response to these guidelines?
Create or Review a Written Cybersecurity Program
As an initial matter, plan sponsors should take a step back and analyze their cybersecurity program as a whole, reviewing any policies that are in place and identifying any gaps. Once gaps or weak areas are known, plan sponsors can begin the process of creating or updating a written cybersecurity program.
The DOL lists eighteen areas that a comprehensive program should govern, including: (i) data governance and classification, (ii) access controls and identity management, (iii) data disposal, (iv) incident response, (v) encryption, and (vi) cybersecurity awareness training. Additionally, the DOL recommends conducting annual risk assessments and third-party audits to test the effectiveness of the written program. The DOL makes clear that as part of an audit, it would expect to see audit reports, penetration test reports, and other analyses of the party’s cybersecurity practices.
The DOL also emphasizes the importance of having clearly defined roles and responsibilities. In other words, plan sponsors need to designate an individual or team to maintain the cybersecurity program. This may include creating a cross-functional team that can make and implement decisions relating to cybersecurity.
Make a Plan for Vendor Diligence and Management
As part of the formal cybersecurity program, plan sponsors should establish a plan for selecting and managing service providers. The DOL provides tips for hiring a service provider with strong cybersecurity practices. These tips aim to help plan sponsors and fiduciaries to prudently select service providers and to monitor their activities. This guidance offers six tips for plan sponsors looking at engaging with a service provider to ensure that the service provider has thorough cybersecurity practices:
1.) Ask about the service provider’s information security standards, practices, and policies, and audit results, and compare them to the industry standards adopted by other like institutions. Plan sponsors should look for service providers that follow a recognized standard for information security.
2.) Ask the service provider how it validates its practices and what levels of security standards it has met and implemented.
3.) Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, litigation, or other legal proceedings related to the offered services.
4.) Ask whether the service provider has experienced any past security breaches. If it has, ask for details, including what the service provider did in response.
5.) Determine if the service provider has any insurance policies that would cover losses caused by cybersecurity incidents, including identity theft breaches.
6.) Require contracts with a service provider to include ongoing compliance with cybersecurity and information security standards.
Additionally, plan sponsors should consider developing contractual provisions obligating the service providers to maintain strong cybersecurity practices. For example, plan sponsors should require service providers to regularly conduct third-party audits to determine compliance with information security policies and to meet all applicable cybersecurity and privacy laws. Service providers should be contractually prohibited from using or sharing the information for any other reason or without the plan sponsor’s consent. Plan sponsors should also require quick notice of cyber incidents affecting plan data and the contract should clearly designate responsibilities for notification and associated costs and should require insurance coverage with limits high enough to reimburse for a security breach.
Prepare Plan Participants
The DOL also contemplates ways to help plan participants who check their retirement plan accounts online to protect themselves against the risk of fraud and loss. For example, the DOL recommends plan participants use strong and unique passwords as well as take advantage of multi-factor authentication, where applicable. Plan participants should keep personal contact information current and take the time to close or delete unused accounts.
The responsibility is not specifically placed on plan sponsors to educate plan participants on cybersecurity best practices, but it is certainly in plan sponsors’ best interests to provide trainings and resources to plan participants. While plan participants can be a point of access for hackers to gain entry to plan information, they can also act as a strong line of defense. Having cybersecurity-savvy participants can be just as beneficial as a strong written cybersecurity program.
Cybersecurity is not infallible. Incidents will happen. What’s important—and what we believe the DOL will want to see—is the effort to prioritize cybersecurity. And given the recent audit activity, creating (or reviewing) your comprehensive cybersecurity program should be done sooner rather than later.
Example DOL audit questions:
1.) All policies, procedures, or guidelines relating to:
a.) Data governance, classification, and disposal
b.) The implementation of access controls and identity management, including any use of multi-factor authentication
c.) The processes for business continuity, disaster recovery, and incident response
d.) The assessment of security risks
e.) Data privacy
f.) Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties
g.) Cybersecurity awareness training
h.) Encryption to protect all sensitive information transmitted, stored, or in transit
2.) All documents and communications relating to any past cybersecurity incidents
3.) All security risk assessment reports
4.) All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses
5.) All documents and communications describing security reviews and independent security assessments of the assets or data of the Plan stored in a cloud or managed by service providers
6.) All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis
7.) All documents describing security technical controls, including firewalls, antivirus software, and data backup
8.) All documents and communications from service providers relating to their cybersecurity capabilities and procedures
9.) All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data
10.) All documents and communications describing the permitted uses of data by the sponsor of the Plan or by any service providers of the Plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services
Please note that you may need to consult not only with the sponsor of the Plan, but with the service providers of the Plan to obtain all documents responsive to these requests. If you are unable to produce documents responsive to any of the forgoing, please specify the requests and the reasons for the non-production.
Jenny L. Holmes
Associate | Deputy Leader, Cybersecurity & Privacy