DOL Ramps Up Retirement Plan Cybersecurity Policy Investigations

Reports continue to come in concerning an increasing number of DOL requests made to plan sponsors asking for all cybersecurity and information security program policies, procedures and guidelines that relate to retirement plans, whether applied by the plan sponsor or by a provider, as well as detailed documentation of specific actions taken by the plan’s fiduciaries and providers, including many that the DOL addressed in its guidance.

In April 2021, the DOL issued Cybersecurity Program Best Practices as guidance for plan fiduciaries, record keepers, and service providers that details what the DOL will undoubtedly be scrutinizing when it comes to retirement plan cybersecurity policies. These include the following:

Have a formal, well-documented cybersecurity program. 

A sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information. Under the program, the organization fully implements well-documented information security policies, procedures, guidelines, and standards to protect the security of the IT infrastructure and data stored on the system.

Conduct prudent annual risk assessments. 

A risk assessment is an effort to identify, estimate, and prioritize information system risks. IT threats are constantly changing, so it is important to design a manageable, effective risk assessment schedule. Organizations should codify the risk assessment’s scope, methodology, and frequency.

Have a reliable annual third-party audit of security controls. 

Having an independent auditor assess an organization’s security controls provides a clear, unbiased report of existing risks, vulnerabilities, and weaknesses. Effective audit programs should be expected to provide:

  • Audit reports, audit files, penetration test reports and supporting documents, and any other analyses or review of the party’s cybersecurity practices by a third party.
  • Audits and audit reports prepared and conducted in accordance with appropriate standards.
  • Documented corrections of any weaknesses identified in the independent third-party analyses.

Clearly define and assign information security roles and responsibilities.

For a cybersecurity program to be effective, it must be managed at the senior executive level and executed by qualified personnel. As a senior executive, the Chief Information Security Officer (CISO) would generally establish and maintain the vision, strategy, and operation of the cybersecurity program that is performed by qualified personnel.

Have strong access control procedures. 

Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to IT systems and data. It mainly consists of two components: authentication and authorization.

Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. 

Cloud computing presents many unique security issues and challenges. In the cloud, data is stored with a third-party provider and accessed over the Internet. This means visibility and control over that data is limited. Organizations must understand the security posture of the cloud service provider to make sound decisions on using the service.

Conduct periodic cybersecurity awareness training. 

Employees are often an organization’s weakest link for cybersecurity. A comprehensive cybersecurity security awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat. Since identity theft is a leading cause of fraudulent distributions, it should be considered a key topic of training, which should focus on current trends to exploit unauthorized access to systems. Be on the lookout for individuals falsely posing as authorized plan officials, fiduciaries, participants, or beneficiaries.

Implement and manage a secure system development life cycle (SDLC) program. 

A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort.

Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. 

Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data. The core components of a program include the Business Continuity Plan, Disaster Recovery Plan, and Incident Response Plan. 

Encrypt sensitive data, stored and in transit. 

Data encryption can protect nonpublic information. A system should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit. 

Implement strong technical controls in accordance with best security practices. 

Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. 

Appropriately respond to any past cybersecurity incidents.

When a cybersecurity breach or incident occurs, appropriate action should be taken to protect the plan and its participants, including:

  • Informing law enforcement.
  • Notifying the appropriate insurer.
  • Investigating the incident.
  • Giving affected plans and participants the information necessary to prevent/reduce injury.
  • Honoring any contractual or legal obligations with respect to the breach, including complying with agreed upon notification requirements.
  • Fixing the problems that caused the breach to prevent its recurrence.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you follow the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 678-439-6236.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.
%d bloggers like this: