The Department of Labor’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidelines for fiduciaries of ERISA-subject plans. While these best practices are directed toward ERISA plans, they are also worth consideration by non-ERISA plans such as government and church plans.
By releasing its guidance on cybersecurity, the EBSA makes clear that in order for a fiduciary to properly discharge their duties – particularly the duty of care, skill, prudence, and diligence and the duty to monitor, fiduciaries must enact safeguards against potential cyberattacks. The guidance includes three documents:
ERISA requires fiduciaries to prudently select and monitor service providers. The EBSA recommends that fiduciaries ask current and prospective service providers whether the service provider has a cybersecurity insurance policy, which includes coverage for identity theft breaches, breaches caused by both internal and external threats. The EBSA recommends that fiduciaries make such insurance coverage a contract condition but cautions that fiduciaries should “understand the terms and limits of any coverage before relying upon it as protection from loss,” and “beware of contract provisions that limit the service provider’s responsibility for IT security breaches.”
Fiduciaries should also include strong contract safeguards to ensure service provider accountability. The EBSA recommends that fiduciaries include (1)provisions that require the service provider’s ongoing compliance with cybersecurity and information security standards, (2) provisions that require the service provider obtain an third-party cybersecurity audit each year, and give the plan fiduciary the right to review audit results, (3) outlined procedures for notification of cybersecurity breaches, ensuring "the service provider’s cooperation to investigate and reasonably address the cause of the breach,” and (4) specification of the service provider’s “obligations to meet all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.”
The second of three documents released by the EBSA is geared toward helping plan fiduciaries and record-keepers “ensure proper mitigation of cybersecurity risks.” ERISA plan fiduciaries can provide this document to existing and potential service providers, in order to establish clear expectations.
Fiduciaries should hire service providers that:
- Have a formal, well documented cybersecurity program
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that data/assets undergo appropriate security reviews/assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program with regular vulnerability scans and annual penetration tests.
- Have an effective business resiliency program.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls
- Appropriately respond to cybersecurity incidents.
The final document offered by the EBSA is a two-page guide that fiduciaries should consider including in plan communications to participants and beneficiaries. The guide includes tips that can help reduce the risk of fraud and loss to a participant’s account, such as:
- Participants should register and regularly check their retirement accounts online. This will help participants more quickly detect unusual activity. Participants should ensure the plan administrator has the participant’s most up to date contact information.
- Participants should close any unused online accounts in order to minimize their online vulnerability.
- Participants should use strong and unique passwords. Passwords should be changed every 120 days, and immediately in the case of a security breach. Strong passwords are at least 14 characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters.
- Use multi-factor authentication. Forms of multi-factor authentication include (1) additional login credentials such as a PIN number or security questions, (2) a security code sent to the user’s mobile phone or email, or (3) biometric data, such as fingerprint or facial recognition.
- Do not use unsecured or public Wi-Fi networks. When accessing important accounts, participants should always use a secured network.
- Beware of phishing scams. Phishing scams takes many forms, all meant to trick a user into clicking a link or sharing account information, passwords, or other sensitive data.
The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.