Watch: EBSA Cybersecurity Guidance for Protecting Retirement Assets

Date July 27, 2022
Article Authors

Highlights from the July 27, 2022, webinar hosted by William J. Heaven, Senior Director, HBK Risk Advisory Services, with guest Joel Van Horn, CAP/CITP, CISA, Senior Manager, HBK Risk Advisory Services

Watch On Demand.

While the discussion relates to retirement plans, the information and tips apply broadly to industries and businesses.

EBSA Guidance split into three forms:

1. Tips for hiring a service provider

2. Cybersecurity program best practices

3. Online security tips

Employee Retirement Income Security Act of 1974 (ERISA) sets the minimum standards for most voluntarily established benefit plans, like 401ks and 403bs. ERISA is split into four titles, including Title I: rules for reporting, disclosures, vesting, participation, and other regulations specific to retirement plans. It is administered by the U.S. Department of Labor (DOL), which is in charge of enforcing Title 1.

The IRS is involved with ERISA, but if there is an issue that involves plan participants the DOL can step in.

ERISA established fiduciary responsibilities and defines them.

A fiduciary is a person or entity with discretionary authority to control and manage the operation and administration of a benefit plan covered by ERISA.

Fiduciary responsibilities include:

  • Acting solely in the interests of plan participants and beneficiaries with the exclusive purpose of providing benefits
  • Carrying out their duties prudently
  • Following the plan’s overarching document guiding how the plan will be administered
  • Diversifying plan investments properly
  • Employee Benefits Security Administration (EBSA):

  • Balances proactive enforcement with compliance assistance
  • Is responsible for administering and enforcing provisions of ERISA: reporting and disclosure, fiduciary responsibilities and ultimately acting as a watchdog for the plans
  • EBSA issued cybersecurity guidance in 2021 to help safeguard retirement benefits and personal information:

  • Applies to plan sponsors, fiduciaries, record keepers and participants
  • Emphasizes the importance plan sponsors and fiduciaries must put on cybersecurity
  • Meant to complement existing EBSA regulations on electronic storage of records, and the electronic delivery of disclosures to plan participant and beneficiaries
  • Help defend against possible future claims brought under ERISA or data breach laws
  • EBSA Form 1: Tips for hiring a service provider

    Many functions of plans are outsourced to third-party service providers, who should have strong cybersecurity programs.

    Information security standards

  • Allow the organization to coordinate and enforce a security program and communicate that to third parties
  • Audit the results of the program – test the standards and ensure they are implemented
  • Compare your standards to industry standards for benefit plans
  • SOC 2 is a comprehensive report on third parties that lists procedures in place, tests the procedures, and lists any exception and how management will address them.

    Validation of practices

  • How are vendors validating their practices?
  • What levels of security standards have they met and implemented?
  • Are they using a third party to validate?
  • Track vendor’s record in their industry

  • Public information on security breaches
  • Other litigation
  • Legal proceedings related to vendor’s services
  • Ask about data breaches

  • SOC 2 report will have some information
  • What happened and how they responded
  • Insurance policies

  • Coverage for losses by cybersecurity and identify the breaches from internal as well as external threats
  • Service provider contracts

  • Require ongoing cybersecurity compliance
  • Beware of provisions that limit responsibility for breaches and amend those
  • Include terms for enhancing cybersecurity protection:
    • information security reporting
    • clear provisions related to use and sharing of information and confidentiality
    • notification of cybersecurity breaches
    • compliance with records retention and destruction, privacy and other information security laws
    • cybersecurity insurance policies in place
  • EBSA Form 2: best practices

    Have a formal, well-documented cybersecurity program:

  • Establish strong policies and guidelines: base on NIST or other cybersecurity framework
  • Conduct prudent annual risk assessments
  • Prioritize according to biggest risks
  • Keep current on where highest risks exist
  • Have a reliable, annual third-party audit of security controls.

    Clearly define and assign information security roles and responsibilities.

  • Must be taken seriously by top management for success
  • Have strong access control procedures.

  • Assign responsibilities on lease/privilege
  • Review system access at least quarterly
  • Name/user ID’s
  • Dual or multi-factor authentication
  • Ensure that any assets or data stored in a cloud or managed by a third part service provider are subject to appropriate security reviews and independent assessments.

    Conduct periodic cybersecurity awareness training.

    Implement a secure system development life cycle program.

    Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

    Encrypt sensitive data, stores and in transit.

  • Starting with an inventory of what you have
  • Implement and update strong technical controls in accordance with best practices.

    Appropriately respond to any past cybersecurity incidents:

  • Fix the problems that caused the breach
  • EBSA Form 3: Online security tips

    Register, set up, and routinely monitor your online account.

    Use strong and unique passwords.

  • No dictionary words
  • Combination of numbers, letters, and special characters
  • Nothing in sequence
  • 14 or more characters
  • Passwords not written down
  • Consider a secure password manager
  • Don’t respond to email requests for account numbers or personal information
  • Use multi-factor authentication.

    Keep personal and contact information current.

    Close or delete unused accounts.

    Be wary of free wi-fi; don’t log into accounts from public wi-fi.

    Beware of phishing attacks: how most attacks originate.

    Use antivirus software and keep apps and software current.

    Know where and how to report identity theft and cybersecurity incidents, internally and externally.

    Following EBSA best practices will help you ensure the fiduciary responsibilities required by ERISA are met.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields