ERISA-covered plans hold millions of dollars or more in assets and maintain a large amount of personal data on participants, therefore, such plans can be tempting targets for cyber-criminals. Recognizing this, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor issued its first-ever cybersecurity guidance concerning employee benefit plans this spring. Further, in June 2021, just two months after issuing the guidance, government investigators began seeking information from plan sponsors about cybersecurity policies and procedures. While such requests thus far have been limited to ongoing audits, plan sponsors and fiduciaries would be wise to review EBSA’s guidance and implement its suggestions as appropriate.
The EBSA guidance, which is directed to plan sponsors and fiduciaries as well as recordkeepers and plan participants, is set forth in three separate publications.
The first, Tips for Hiring a Service Provider, is meant to help plan sponsors and fiduciaries select a service provider with strong cybersecurity practices and then monitor the provider’s activities. Tips include asking providers about their information security standards, practices, and policies, including whether they use an outside auditor to review and validate their cybersecurity as well as the results of such audits. Plan sponsors and fiduciaries are encouraged to evaluate the service provider’s track record, including reviewing public information concerning security incidents and litigation, and questioning the provider about any past security breaches and how they were handled. Providers should also be asked about any insurance policies they have that would cover losses caused by cybersecurity failures and identity theft breaches, including those stemming from both internal and external threats. The guidance also recommends that service provider contracts include provisions requiring the provider’s ongoing compliance with cybersecurity and information standards (including annual audits) and the provider’s obligations to meet all applicable federal, state, and local laws as well as other governmental requirements pertaining to the privacy, confidentiality, and security of participants’ personal information. Contracts should also identify a process for the service provider to inform plan fiduciaries about any cyber incident or data breach, and ensure the provider’s cooperation in investigating, reporting, and addressing the cause.
The second publication, Cybersecurity Program Best Practices, is a more comprehensive document aimed at assisting recordkeepers, service providers, and plan fiduciaries in understanding and fulfilling their responsibilities to manage cybersecurity risks. Noting that a sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information, EBSA states that a prudently designed program will protect the infrastructure, information systems, and the information itself from unauthorized access, use, or other malicious acts. The program should include means to detect and respond to cybersecurity events as well as processes for the recovery from and disclosure of the events. The Best Practices guidance includes pointers on the following: annual risk assessments; third-party audits of security controls (including documentation that EBSA would expect to see); definition and assignment of information security roles and responsibilities; development of strong access control procedures with appropriate authentication and authorization processes; and protection of assets and/or data stored in a cloud or managed by a third-party service provider.
Recognizing that employees are often an organization’s weakest link for cybersecurity, EBSA also recommends cybersecurity awareness training for all personnel, conducted at least annually and updated to reflect risks identified through risk assessments. The guidance also includes tips for creating a secure system development life cycle (SDLC) program, which ensures that security assurance activities such as penetration testing, code review, and architecture analysis are part of the system development process. In addition, the guidance outlines best practices for developing a business resiliency program (including a business continuity plan, disaster recovery plan, and incident response plan); implementation of an encryption system; maintenance of strong technical controls such as firewalls and antivirus software; and actions to be taken in response to cybersecurity incidents and breaches. While many benefit plans (particularly health plans) have already implemented comprehensive cybersecurity programs to comply with HIPAA and other data-protection requirements, this publication serves as a good checklist for review of such programs.
The third document, Online Security Tips, offers some basic guidance for plan participants and beneficiaries to reduce the risk of fraud and loss when they engage with their plan accounts online. EBSA recommends that participants register, set up, and routinely monitor online accounts; use strong and unique passwords; use multi-factor authentication; keep personal contact information current (so the participant can be reached if there is a problem); close or delete unused accounts; and be wary of free Wi-Fi networks that can pose security risks. The guidance also cautions participants about phishing attacks, including a list of common warning signs of such attempts. Finally, the guidance recommends that participants use antivirus software, keep apps and software current, and know how to report identity theft and cybersecurity incidents. While the guidance is directed primarily to participants in retirement plans, it provides good general advice for all employees who may be accessing benefit, payroll, and other confidential information online. Plan sponsors and service providers therefore may want to consider disseminating the information to participants and employees.
EBSA has identified data security enforcement as a top budget priority, and the speed with which it incorporated cybersecurity questions into its audit process took many plan sponsors and service providers by surprise. Plan sponsors and fiduciaries should ensure they have appropriate cybersecurity policies, procedures, and safeguards in place, and be prepared to provide documentation in the event of a governmental audit or inquiry.