DOL recognizes cyber risks to personal data and the assets contained in ERISA-covered plans
According to the United States Department of Labor (DOL), “Covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries must ensure proper mitigation of cybersecurity risks. The Employee Benefits Security Administration has prepared the following best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for the plan fiduciaries to make prudent decisions on the service providers they should hire.”
The guidance from the DOL suggests that plans service providers should:
- Have a formal, well-documented cybersecurity program.
- Conduct careful annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider be subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls by best security practices.
- Appropriately respond to any past cybersecurity incidents.
Typically, regulatory agencies release guidance (things you should do) before they release rules and regulations (things you must do). GBQ anticipates formal rules in the future turning these “should dos” into “must dos.” We believe firms are obligated to protect their employees’ information, especially when it comes to their benefit plans. Regardless, getting proper security controls in place before rules force your hand is the prudent thing to do.
Moving toward greater security
For some firms, this to-do list is taken care of when IT and security leadership bring the plan under the umbrella of the firm’s existing cybersecurity program. We recommend plan managers communicate obligations to IT and/or information security leadership in your company to protect this data, your employees and their assets.
For other firms, particularly those that are not in industries with information security and privacy regulations, this to-do list might seem daunting.
Firms that use outside providers should consider conducting a risk assessment on their providers to ensure that the provider is properly stewarding the data in their control.
Schedule an assessment for your ERISA-covered plans
GBQ IT services helps firms measure and improve existing cybersecurity programs and works with firms who do not have them in place to form programs appropriate to their size and risk profile. We also help firms measure vendor risk and negotiate with vendors falling short of our clients’ expectations.
For more information or assistance with cybersecurity matters, please contact Doug Davidson, Director of Information Technology Services.