DOL Offers Best Practices to Defend ERISA Covered Retirement Plans from Cyberattack
08.30.21 | Operations Chat
The many millions of dollars in assets currently housed in employee benefit plans is cause enough to expect the most inventive cybercriminals to take their best shot. To add further allure, there is the coveted personal data of plan participants. It should come as no surprise that the Department of Labor’s Employee Benefits Security Administration (EBSA) decided to issue cybersecurity guidance for employee benefit plans. The guidance is aimed at:
- Plan sponsors and fiduciaries
- Plan participants
The guidance comes in three components:
Tips for Hiring a Service Provider: Geared to sponsors and fiduciaries, it advises that a service provider under consideration demonstrate strong cybersecurity practices. It is important to assess the quality of their security standards, practices, and policies. Learn if they employ an outside auditor to review their measures and ask to review the results of that audit. Look into their track record to see if they suffered any breaches and what their response was. The EBSA guidance also states that any contract with a service provider requires ongoing compliance with cybersecurity and information standards and that the provider meet government laws and requirements relating to the security of plan participants’ information.
Cybersecurity Program Best Practices: This area is aimed at recordkeepers, service providers, and plan fiduciaries to assist them in dealing with cybersecurity risks with an even dozen recommendations.
- Develop a formal, well-documented cybersecurity program
- Carry out annual risk assessments
- Engage a reliable third party for an annual audit of security controls
- Produce, define, and assign security roles and responsibilities
- Maintain strong access control procedures
- Confirm that assets stored in a cloud or managed by a third party have appropriate security reviews and independent security assessments
- Perform periodic cybersecurity awareness training
- Maintain a secure system development life cycle (SDLC) program
- Establish a business resiliency program that includes business continuity, disaster recovery, and incident response
- Encrypt sensitive data, stored and in transit
- Follow best security practices when initiating technical controls
- Appropriately respond to any previous cybersecurity incidents
Online Security Tips: This is guidance for both plan participants and beneficiaries when they are reviewing their accounts online. Among the recommendations are regular monitoring of the accounts, the use of strong passwords (no baby birthdays or ABC123), and the use of multi-factor authentication. This security feature requires multiple means of identification at login and is widely recognized as the most secure software authentication method for verifying access to data and applications. There is also advice on telltale signs that indicate that you are the subject of phishing. Using the latest antivirus software is also strongly recommended.
For more detail on the EBSA’s recommendations, visit: