Cybersecurity for Employee Benefit Plans
Recently, the Department of Labor’s Employee Benefits Security Administration (‘EBSA”) released cyber security best practices and security tips on their website (https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity). These best practices provide valuable resources for plan sponsors to follow to help keep one of the most important aspect of their benefit plans safe, plan demographic data.
In addition to the plan demographic data, employee benefit plans hold millions of dollars of retirement benefits that need to be protected from outsiders as well. The difficult part is that not only does the plan sponsor have to ensure their internal data is protected from outside attacks, but they need to make sure their plan providers have the best systems in place to protect the data that they hold on to on behalf of the plan sponsor.
The ESBA has identified 12 best practices plan sponsors need to be aware of:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
All of these are described in their release above, but let’s highlight a couple of them:
Number 1: Have a formal documented cybersecurity program. Plan Sponsors need to identify their assets and information that need protected, have protection in place to secure the information, have tools to detect threats and recover from threats. Plan Sponsors should have documentation in place as to how their information can be accessed, who has and who should have access, and tools in place to protect that information. Lastly, they should have a process in place to continually monitor who has access to the data to ensure that only current employees have access to the information.
Number 10: It is very important to secure all data that is sent / received from Third Party Administrators and plan participants. Secure portals or encrypted data are typical means of safely sending sensitive information.
All Plan Sponsors should review and implement the best practices above to protect their plan participants most important personal data and protect and secure their assets that they have saved for retirement.
As always, please contact us if you have any questions.