Cybersecurity Best Practices, DOL Style: A Deeper Dive
Editor’s Note: This is the first in a series about the guidance the Department of Labor’s Employee Benefits Security Administration (EBSA) issued on April 14 concerning cybersecurity. The Department of Labor’s Employee Benefits Security Administration (EBSA) April 14 issued comprehensive guidance on cybersecurity from a variety of perspectives. This includes in-depth guidance on best practices to follow when seeking to establish, protect and enhance the security of retirement accounts and the data—and most importantly, the revenue—around which it all is centered. “ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals,” says EBSA. And they add a reminder about what this means for plan fiduciaries, saying, “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Thus the best practices EBSA includes in the April 14 guidance. The DOL intends it for use by recordkeepers and other service providers responsible for plan-related IT systems and data, as well as for plan fiduciaries in choosing those service providers. The DOL considers the very detailed guidance a complement to the regulations EBSA has already issued concerning electronic records and disclosures to plan participants and beneficiaries. On May 21, 2020, the DOL issued a final rule that provides a new safe harbor for electronic disclosures. Fred Reish, Bruce Ashton, and Stephen Pennartz have written that the rule “promises to expand greatly the use of electronic delivery,” and that it “allows retirement plan administrators to satisfy their information disclosure requirements under ERISA by distributing documents to employees electronically under a ‘notice-and-access’ method.” They also remind that “retirement plans still retain a fiduciary duty to protect participants’ personal information from cyber theft.” “The guidance announced today complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries,” the DOL says of the new guidance. “These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information,” it adds. “A sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information,” says EBSA. Through such a program, EBSA says, “an organization fully implements well-documented information security policies, procedures, guidelines and standards to protect the security of the IT infrastructure and data stored on the system.” EBSA stresses the importance of having a formal, well-documented cybersecurity program. It posits in the guidance that formal and effective policies and procedures should govern a wide range of critical aspects relevant to cybersecurity that fit in five broad categories. Data. Address governance, classification, and disposal of data. Systems. Address systems operations, application development, and performance; monitor systems, applications, and network security; provide for vulnerability and patch management. Control. Provide for control of access; ensure data privacy; manage identity, configurations, assets, vendors, and third-party service providers; provide for encryption to protect all sensitive information transmitted; establish and maintain consistent use of multi-factor authentication; address physical security; establish environmental controls. Business continuity. Provide for continuity of business during times of difficulty and disaster; address risk assessment; establish means for incident response and disaster recovery. Training. Provide cybersecurity awareness training to all personnel annually. EBSA says that a prudently designed cybersecurity program should protect the infrastructure, information systems and the information in the systems from unauthorized access, use, or other malicious acts by enabling the organization to:
- Identify risks to assets, information, and systems.
- Protect necessary assets, data, and systems.
- Detect and respond to cybersecurity events and recover from them.
- Disclose cybersecurity events as appropriate.
- Restore normal operations and services.