Cybersecurity Guidance for Employee Benefit Plans
Data breaches are becoming more frequent and are affecting businesses worldwide, especially those with valuable data stored online. It is no wonder, then, that employee benefit plans (EBPs) are prime targets for cybercriminals. Not only do EBPs operate in an electronic environment that shares employee information with multiple third parties, but their systems maintain sensitive employee data, including personally identifiable information, electronic protected health information, participant enrollment data, individual account balances, direct deposit information, compensation, and other financial information. This information is extremely vulnerable to cybercriminals who could gain access to employee accounts online in an attempt to request loans and distributions or access participant and/or sponsor contributions.
EBP Cybersecurity Recommendations
To address these risks, the DOL has provided updated guidance for ERISA-regulated plan sponsors and plan fiduciaries, since these parties have an obligation to ensure proper mitigation of cybersecurity risks for their EBPs. The following are the recommended best practices.
DEVELOP A FORMAL, WELL-DOCUMENTED CYBERSECURITY PROGRAM.
A well-designed cybersecurity program will protect the EBP’s infrastructure, information systems, and the information in the systems from unauthorized access, use, or other malicious acts. It will also establish strong security policies, procedures, guidelines, and standards, which should be documented, approved by senior management, reviewed annually, and communicated to participants
ENGAGE AN INDEPENDENT AUDITOR TO PERFORM A SECURITY CONTROL ASSESSMENT.
The findings/final report should focus on existing risks, vulnerabilities, and weaknesses. System and Organization Controls (SOC) examinations and penetration testing summaries should also be requested.
CLEARLY DEFINE AND ASSIGN INFORMATION SECURITY ROLES AND RESPONSIBILITIES.
For a cybersecurity program to be effective, it must be managed and carried out by organizational leaders with sufficient experience and knowledge to establish and maintain the vision, strategy, and operation of the program.
ENSURE ANY ASSETS OR DATA STORED IN A CLOUD OR MANAGED BY A THIRD-PARTY SERVICE PROVIDER ARE SUBJECT TO APPROPRIATE SECURITY REVIEWS AND INDEPENDENT SECURITY ASSESSMENTS.
Fiduciaries should review security plans and procedures with service providers (hosted in the cloud or with a third party) to ensure appropriate controls are in place for protecting plan data.
DEVELOP A BUSINESS RESILIENCY PROGRAM THAT ADDRESSES BUSINESS CONTINUITY, DISASTER RECOVERY, AND INCIDENT RESPONSE.
The program should be periodically reviewed and updated to reflect the organization’s current operational and technology environment.
CONDUCT ANNUAL CYBERSECURITY AWARENESS TRAINING.
Since identity theft is a leading cause of fraudulent distributions for EBPs, it should be considered a key topic of training with an emphasis on current trends to exploit unauthorized access to systems. EBP personnel should always beware of individuals falsely posing as authorized plan officials, fiduciaries, participants, or beneficiaries.
ENCRYPT SENSITIVE DATA WHEN STORED AND IN TRANSIT.
Ensure the proper protection of plan data through strong encryption standards. Data encryption can protect nonpublic information to safeguard the confidentiality and integrity of the data at rest or in transit.
PERFORM ANNUAL RISK ASSESSMENTS.
A risk assessment should identify threats, establish and review controls, mitigate remaining risks, and be monitored and updated annually.
ESTABLISH STRONG ACCESS CONTROL PROCEDURES.
Secure access control uses policies that verify users are who they claim to be and ensures appropriate control access levels are granted to users. Most EBPs use an online portal for participants to access their benefits. Without strong access control procedures, EBP participants’ retirement accounts could be misappropriated due to unauthorized access.
IMPLEMENT AND MANAGE A SECURE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) PROGRAM.
Ensure procedures, guidelines, and standards for developing in-house applications are secure. This may include activities such as penetration testing, code review, and architecture analysis.
IMPLEMENT STRONG TECHNICAL CONTROLS IN ACCORDANCE WITH BEST SECURITY PRACTICES.
Deploy and secure information systems that interact with plan data, including routine security updates and system hardening standards.
Review ability and effectiveness of responding to a cybersecurity incident or breach. In addition, review contracts to ensure data breach notification responsibilities are defined and processes exist for meeting obligations.
In summary, ERISA-covered EBPs often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cybercriminals. Plan sponsors, fiduciaries, and service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure.