The Employee Benefits Security Administration of the United States Department of Labor (“EBSA”) recently published guidance regarding cybersecurity best practices for recordkeepers and service providers responsible for plan related information technology systems and data for ERISA-covered plans, including 401k and other pension plans.
The EBSA counseled that a plan’s service providers should implement the following practices:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure System Development Life Cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf The guidance provides more granular detail on each practice, including background checks for IT personnel, training for employees, access controls such as multi-factor authentication, and annual review and updating of the cybersecurity program with involvement by senior leadership.
The EBSA also issued “tips” to help plan fiduciaries and business owners make “prudent decisions” in hiring service providers for such plans. https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity The tips will look familiar to data security professionals. They include recommendations for due diligence in reviewing a service provider’s infosec standards, policies, practice and cyber insurance coverage, as well as baking security compliance and confidentiality requirements into vendor contracts.
Although not legally binding, the guidance could serve as a touchpoint for the EBSA, plaintiffs’ counsel or the courts in determining whether plan fiduciaries met their obligations under applicable law, similar to how the FTC pointed to its own guidance in pursuing Wyndham and LabMD after those companies experienced a data breach. Certainly, it will be more difficult for plan fiduciaries to argue that they met their duty of prudence under ERISA if they ignore the EBSA guidance.