Employee Benefits Security Administrations Cybersecurity Guidance Part 2: Cybersecurity Best Practices

Part two of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants is provided under three forms:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online

Cybersecurity program best practices

In part one of our series on the Department of Labor’s Employee Benefits Security Administration’s (EBSA’s) recently issued cybersecurity guidance, we focused on the “tips for hiring a service provider” and advocated for the implementation of a third-party risk management program to facilitate those efforts. Those tips encompass one aspect of a third-party risk management program. While adopting a complete third-party risk management program was not specifically addressed in the DOL guidance, the need becomes evident after exploring the EBSA’s second “form” of guidance, “cybersecurity program best practices,” which were designed to help plan fiduciaries and record-keepers meet their responsibilities to manage cybersecurity risks.

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration has prepared the following best practices for use by record keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries looking to make prudent decisions on the service provider they are considering for hire. According to the DOL guidance, plans’ service providers should:

  1. Have a formal, well-documented cybersecurity program.

  2. Conduct prudent annual risk assessments.

  3. Have a reliable annual third-party audit of security controls.

  4. Clearly define and assign information security roles and responsibilities.

  5. Have strong access control procedures.

  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

  7. Conduct periodic cybersecurity awareness training.

  8. Implement and manage a secure system development life cycle (SDLC) program.

  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

  10. Encrypt sensitive data, stored and in transit.

  11. Implement strong technical controls in accordance with best security practices.

  12. Appropriately respond to any past cybersecurity incidents.

The specific details of each of the 12 Best Practices can be found here.

While the details on nos. 2 through 12 offer more specifics, we recommend you focus on the first best practice, that is, establishing a formal, well-documented cybersecurity program, as a formal, well-documented cybersecurity program will include nos. 2 through 12. The only additional step will be actually implementing your formalized program.

Bringing the entirety of the EBSA guidance full circle, we recommend the following steps:

  • Develop a cyber program: Leveraging established standards can assist you in developing your program. We recommend exploring ISO 27001 or the NIST Cybersecurity Framework. Each has its own advantages, and, if nothing else, offers guidance for establishing a program.
  • Implement the program: Establishing the policies and procedures required for developing a cyber program is one project. Implementing the policies and procedures is another. This may take some time depending on your current security maturity.
  • Test the effectiveness of your program: Undergo a third-party audit as mentioned in item no. 3 of EBSA’s best practices. Audit–both internal and external—is a key component of an effective, enduring cybersecurity program.
  • Communicate the program to stakeholders: As pointed out in the first “form” of guidance issued by EBSA, your stakeholders will want to know the details of your security initiatives, including the controls you have in place and their effectiveness.

Often, the last two steps can be achieved in one engagement. SOC reporting offers assurance through an audit in which a CPA opines the effectiveness of controls. This reporting mechanism communicates the design and effectiveness of your security program. We strongly recommend that you use a reputable audit firm with security and SOC experience.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Click here to read part one.

About the Author(s)
Matthew joined HBK in early 2017 after spending four years working for Kearney and Company in Washington, DC as a consultant to the Department of Defense (DoD). Matt has thirteen years of extensive internal control experience within information technology and the financial reporting processes. He leads HBK’s Risk Advisory Services where he assists clients with System and Organization (SOC) 1 and SOC 2 readiness assessment and examination. Additionally, he helps clients assess the design, implementation, and effectiveness of cybersecurity controls and their ability to achieve industry best practices and security frameworks such as ISO 27001. His client base includes Software-as-a-Service organizations, cybersecurity and incident response service organizations, and service organizations supporting the healthcare and financial services industries.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.