Cybersecurity program best practices

To mitigate cybersecurity risks to retirement plans and their participants, EBSA developed a set of best practices for retirement plan service providers and the plan fiduciaries selecting such providers.  These practices include:

• A formal, well documented cybersecurity program: An organization's cybersecurity program should be designed to protect its IT infrastructure and information systems, as well as the data on such systems.  The program should define and assign roles and responsibilities, and consist of procedures and standards to identify and respond to cybersecurity risks and events.  In addition, the program should require (at least) annual cybersecurity awareness training.
• Annual risk assessments: Organizations should establish criteria for evaluating, assessing, and responding to cybersecurity risks as part of their risk assessments.  In addition, the assessment process should be responsive to ever-changing technology and facilitate the revision of controls, as needed. Further, an organization storing data with a third-party service provider (such as a recordkeeper or custodian) should require a risk assessment of the provider, define minimum cybersecurity practices for the provider, and periodically assess the provider in connection with its continued service engagement.
• Annual third-party security controls audits: An organization's security controls should be reviewed by an independent auditor.  The review should be well documented and include reporting in connection with penetration testing, cybersecurity practices, and corrections of any system vulnerabilities.
• Strong access control procedures and technical controls: Organizations should keep their system hardware, software, and firmware up to date and should routinely back up the data on their systems.  In addition, system access should be limited to authorized users and follow a need-to-access principle.  Policies and procedures should monitor system activity and require multi-factor authentication (whenever possible).  Access privileges should be reviewed (and updated, if needed) at least every three months to ensure accuracy.
• Encryption of sensitive data: Organizations should implement current, prudent system standards to protect nonpublic information and to preserve the confidentiality and integrity of system data.
• Business resiliency programs: An organization should maintain a business resiliency program that consists of a business continuity plan, a disaster recovery plan, and an incident response plan.  The program should provide procedures for an organization to follow to recover, resume, and maintain business functions in the event of a business disruption, as well as procedures for responding to security incidents.

Tips for hiring a service provider

As described above, an effective cybersecurity program includes assessing and monitoring the cybersecurity programs of third-party service providers.  EBSA views these activities as part of a fiduciary's responsibility under ERISA in connection with the selection and monitoring of plan service providers.  In short, the fiduciaries should use service providers that have strong cybersecurity programs.  To that end, EBSA issued hiring tips for business owners and fiduciaries (regardless of size) that include:

• Asking the service provider about its information security standards, practices, policies and audit results. This information should be compared to industry standards adopted by other financial institutions.
• Identifying the levels of security standards implemented and maintained by the service provider and how the service provider validates its cybersecurity practices.
• Evaluating and investigating the service provider's experience with past security incidents and litigation, as well as how the service provider responded in these situations.
• Negotiating service agreements to include audit review rights, ongoing cybersecurity and information security compliance, service provider responsibility for security breaches with enhanced protections for participants, and appropriate insurance coverage for cybersecurity and identity theft breaches (whether caused by internal or external employees or contractors).

Online security tips

EBSA also provided educational material for participants.  While service providers and fiduciaries may find this information helpful, the tips are designed to provide plan participants with practices (and reminders) to mitigate fraud and loss in connection with their retirement accounts.  Service providers and plan fiduciaries should consider furthering this effort by notifying participants of the information and how it can be accessed.