EBSA Releases Cyber Security Guidance
The Department of Labor’s Employee Benefits Security Administration (EBSA) recently releases cybersecurity guidance directed at ERISA fiduciaries and plan sponsors. The guidance aims to provide advice on protecting assets from both internal and external cybersecurity threats by providing tips and best practices on hiring service providers and managing cybersecurity risks. These materials indicate that cybersecurity is a matter of fiduciary responsibility under ERISA, so plan sponsors should carefully consider EBSA’s suggestions.
EBSA first provided a tip sheet to plan fiduciaries on how to prudently select service providers. The guidance suggests asking about a service provider’s information security standards, practices and policies, audit results, and insurance coverage; comparing that information to the industry standard; and asking how the service provider validates its practices. The guidance also advises plan sponsors to consider a service’s providers history by evaluating its security track record in the industry and asking about past security breaches. Finally, the tip sheet advises that sponsors should pay close attention to the contract with the service provider and confirm that the contract requires ongoing compliance with cybersecurity and information security standards.
Sponsors should consider contractually requiring the following:
information security reporting;
provisions on the use and sharing of information and confidentiality;
notification of cybersecurity breaches; compliance with records retention and destruction, privacy and information security laws; and
professional liability and errors and omissions insurance, cyber liability insurance, and privacy breach insurance.
EBSA also published a document on best practices for recordkeepers and other service providers responsible for plan-related IT systems and data. Plan fiduciaries are encouraged to use this information to evaluate those service providers. First, service providers should formally document their cybersecurity program. Providers should continually assess and update their cybersecurity program by conducting annual risk assessments and engaging a third-party audit of security controls. Providers should ensure that personnel are aware of expectations by conducting periodic cybersecurity awareness training and clearly defining information security roles and responsibilities. The document further describes controls a provider should implement, including strong access control procedures, cloud data controls, data encryption, and technical controls like firewalls and antivirus software. Finally, providers should prepare for the worst by implementing a program which effectively addresses business continuity, disaster recovery, and incident response. Should cybersecurity incident occur, plan providers should be prepared to take appropriate action to protect the plan and plan participants.