Part three of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants are provided under three forms:

1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA


2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks


3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online

Online security tips

The DOL’s third and final piece of guidance, “online security tips,” is designed to help retirement account participants and beneficiaries reduce the risk of fraud and loss when checking their accounts online. These are basic security tips, fundamentals that should be employed by everyone if at all possible.

1. Register, set up and routinely monitor your online account. If you don’t register and set up your online account, you run the risk that someone else will. Being responsible for your accounts also includes logging in regularly to review activity. If you find a suspicious entry, alert your sponsor and report the activity to the appropriate authorities (see #9). As well, protect yourself from identity theft and unauthorized access by using strong, unique passwords and multifactor authentication.


2. Use strong, unique passwords. The DOL guidance issued the following advice for using strong passwords:
   • Don’t use dictionary words.
   • Use letters (both upper and lower case), numbers, and special characters.
   • Don’t use letters and numbers in the sequence (no “abc”, “567”, etc.).
   • Use 14 or more characters.
   • Don’t write passwords down.
   • Consider using a secure password manager to help create and track passwords.
   • Change passwords every 120 days, or if there’s a security breach.
   • Don’t share, reuse, or repeat passwords.

   Not reusing or repeating passwords can be difficult. How are you supposed to remember a different password for each account? But if you reuse and repeat passwords for all your accounts and one of those accounts is compromised, the attacker potentially has access to every account where that password is used. Hint: Consider using a secure password manager (“f” above). Also, multi-factor authentication helps mitigate this risk.

3. Use multifactor authentication. Multi-factor authentication (MFA), also called “two-factor authentication,” requires a second credential to verify your identity—for example, entering a code sent in real-time by text message or email. In the event your password is compromised, MFA could be the last layer of defense to protect your account from unauthorized access. If you receive an unsolicited request to verify your access, it likely means your password has been compromised; do not authorize access and change your password immediately. Only respond to requests that you initiate.


4. Keep personal contact information current. Update your contact information when it changes, so you can be reached if there’s a problem. Select multiple communications options.


5. Close or delete unused accounts. Closing and deleting unnecessary or inactive accounts serve to reduce your online presence, and therefore, the risk that your accounts will be compromised. This might appear to contradict the advice of #1 above, but if an account is disabled, you should still be able to request notifications of any activity. You will also be notified if your account information is changed or your account is reopened, which could indicate your identity has been stolen.


6. Be wary of free Wi-Fi. Public, open Wi-Fi can be a haven for criminals; unprotected Wi-Fi can allow direct access to your computer. There, cybercriminals can monitor your activity and steal your information. It is best to stick to trusted home and business networks, but if you use public Wi-Fi, protect yourself by using a virtual private network (VPN) to establish secure sessions.


7. Use anti-virus software. Use it and keep it updated; it’s that simple. There are many trustworthy free and low-cost options.


8. Beware of phishing attacks. One of the most common ways criminals steal your information or gain access to your account is through phishing or fake emails. Phishing attacks aim to gain access to your accounts by tricking you into sharing your passwords, account numbers, and sensitive information. A phishing message may look like it comes from a trusted organization, to lure you to click on a dangerous link or pass along confidential information.



Common warning signs of phishing attacks include:

• A text message or email you didn’t expect or that comes from a person or service you don’t know or use
• Spelling errors or poor grammar
• Mismatched links: a seemingly legitimate link sends you to an unexpected address. Often, but not always, you can spot a mismatched link by hovering your mouse over the link without clicking on it, so that your browser displays the actual destination.
• Shortened or odd links or addresses
• An email request for your account number or personal information. Legitimate providers should never send you emails or texts asking for your password, account number, personal information, or answers to security questions.
• Offers or messages that seem too good to be true, express great urgency, or are aggressive and scary
• Strange or mismatched sender addresses
• Anything else that makes you feel uneasy
9. Report identity theft and cybersecurity incidents. The FBI and the Department of Homeland Security have set up sites for reporting cybersecurity incidents:
   • https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view
   • https://www.cisa.gov/reporting-cyber-incidents

Communicating these tips to your employees, participants, and beneficiaries is critical to protecting personal identities and retirement plan assets. As such, we recommend establishing a security awareness and training program to communicate regularly with employees, participants, beneficiaries, and all other relevant audiences on security best practices and evolving threats.

For more information on DOL’s security tips, educating your employees on cybersecurity, or implementing cybersecurity best practices, contact HBK Risk Advisory Services at 724-934-5300, or by email at mschiavone@hbkcpa.com.

Use the following links to read part one and part two.

Part two of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants is provided under three forms:

1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA


2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks


3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online

Cybersecurity program best practices

In part one of our series on the Department of Labor’s Employee Benefits Security Administration’s (EBSA’s) recently issued cybersecurity guidance, we focused on the “tips for hiring a service provider” and advocated for the implementation of a third-party risk management program to facilitate those efforts. Those tips encompass one aspect of a third-party risk management program. While adopting a complete third-party risk management program was not specifically addressed in the DOL guidance, the need becomes evident after exploring the EBSA’s second “form” of guidance, “cybersecurity program best practices,” which were designed to help plan fiduciaries and record-keepers meet their responsibilities to manage cybersecurity risks.

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration has prepared the following best practices for use by record keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries looking to make prudent decisions on the service provider they are considering for hire. According to the DOL guidance, plans’ service providers should:

1. Have a formal, well-documented cybersecurity program.


2. Conduct prudent annual risk assessments.


3. Have a reliable annual third-party audit of security controls.


4. Clearly define and assign information security roles and responsibilities.


5. Have strong access control procedures.


6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.


7. Conduct periodic cybersecurity awareness training.


8. Implement and manage a secure system development life cycle (SDLC) program.


9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.


10. Encrypt sensitive data, stored and in transit.


11. Implement strong technical controls in accordance with best security practices.


12. Appropriately respond to any past cybersecurity incidents.

The specific details of each of the 12 Best Practices can be found here.

While the details on nos. 2 through 12 offer more specifics, we recommend you focus on the first best practice, that is, establishing a formal, well-documented cybersecurity program, as a formal, well-documented cybersecurity program will include nos. 2 through 12. The only additional step will be actually implementing your formalized program.

Bringing the entirety of the EBSA guidance full circle, we recommend the following steps:

• Develop a cyber program: Leveraging established standards can assist you in developing your program. We recommend exploring ISO 27001 or the NIST Cybersecurity Framework. Each has its own advantages, and, if nothing else, offers guidance for establishing a program.
• Implement the program: Establishing the policies and procedures required for developing a cyber program is one project. Implementing the policies and procedures is another. This may take some time depending on your current security maturity.
• Test the effectiveness of your program: Undergo a third-party audit as mentioned in item no. 3 of EBSA’s best practices. Audit–both internal and external—is a key component of an effective, enduring cybersecurity program.
• Communicate the program to stakeholders: As pointed out in the first “form” of guidance issued by EBSA, your stakeholders will want to know the details of your security initiatives, including the controls you have in place and their effectiveness.

Often, the last two steps can be achieved in one engagement. SOC reporting offers assurance through an audit in which a CPA opines the effectiveness of controls. This reporting mechanism communicates the design and effectiveness of your security program. We strongly recommend that you use a reputable audit firm with security and SOC experience.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Click here to read part one.

Date: March 23, 2022

Time: 10:00 – 11:00 am ET

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

As computing landscapes continue to broaden, organizations are finding themselves exposed to greater risk from third-party vendors. According to a major governance, risk, and compliance firm, only 52 percent of companies have security standards governing their relationships with third parties, despite an average of 89 vendors accessing those companies’ networks on a weekly basis.

In our March 23 Risk Advisory Services webinar, “Establishing a Third-Party Risk Management Program,” we will explain why third-party risk is on the rise, current trends, and how to establish your own third-party, or vendor, risk management program.

We will cover:

• Current trends in third-party risk management
• The various types of obligations that impact a vendor’s rating
• Common cybersecurity attack vectors used against third parties
• Steps in a third-party risk lifecycle
• Suggestions for assigning responsibility for your vendor risk protection process

Join me for insights on mitigating your exposure to third-party cybersecurity risks.

Register Today!

Date: February 23, 2022

Time: 2:00 – 3:00 pm EST

Host: William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director

As computing technology evolves, organizations are finding themselves exposed to higher risk levels due to poor cybersecurity hygiene. We are seeing repeated examples of lax IT security controls leading to cybersecurity incidents and/or breaches.

In our February 23 Risk Advisory Services webinar, “Cybersecurity Hygiene: Strategies for Securing Your Business,” we will explain why these incidents are increasing and how to improve your cybersecurity posture—and share some shocking statistics that will encourage you to take action toward better cybersecurity hygiene.

We will cover:

Join me for insights on limiting your risk exposure while enhancing your business’s cybersecurity posture.

REGISTER TODAY!

HBK CPAs & Consultants, a Top 100 accounting firm, and Vertical Solutions, a Pittsburgh-based managed service provider (MSP), today announced they have entered into a definitive merger agreement. Upon closing of the transaction, Vertical Solutions will merge operations with HBK IT, an HBK company. The entity (Combined Company) will be renamed “Vertilocity” and operate out of Pittsburgh and Clark, New Jersey, and in the Denver, Colorado area. Vertilocity will be led by Bruce Nelson, president of Vertical Solutions. The Combined Company’s annual gross revenue is estimated currently at $10 million.

“Digital technology is the most impactful disrupter in business today,” said Christopher M. Allegretti, CPA, HBK managing principal and CEO. “Everywhere and in every industry, companies are embracing digital transformation. The Vertical Solutions team is steeped in experience in organizational workflows, systems, and software, and will support our initiative to provide relevant, sophisticated technological support to our clients.”

Founded in 1993 and acquired in 2007 by R.L. Nelson and Associates, Inc., a Pittsburgh-based information systems consulting firm founded in 1986, Vertical Solutions has established itself as a trusted advisor to companies on their technology-based business management systems. The firm was among the earliest entries in the field of managed services providers and offers a vast array of IT-related services and support, including proactive managed IT support, advanced threat protection, Office 365 management and support, technological tools and software designed to address an organization’s specific processes, and hardware procurement and installation. Vertical Solutions has specialized in working with healthcare businesses and institutions, and as such, the merger also serves to enhance HBK’s support of its more than 600 healthcare clients.

“I’m extremely excited about what this merger brings to our team and the clients of both firms,” noted Bruce Nelson, president of Vertical Solutions. “HBK IT has extensive capabilities, and our firms share a vision for technical solutions, that they are built around solving business challenges. Our collective technical expertise along with the financial services offered by HBK combine for a unique, comprehensive, and extremely valuable offering to our current and future clients.”

Vertical Solutions operates out of offices in Pittsburgh and remotely in and around Denver where about one-third of its clients are located. As such, the merger not only extends HBK’s reach in the West, but gives the Combined Company a significant IT services presence in three major markets: Pittsburgh, Denver, and New York Metropolitan Region. It also allows HBK to deliver comprehensive IT and MSP services, including cybersecurity support, to the firm’s accounting and financial services clients throughout Ohio, Pennsylvania, New Jersey, and Florida.

Since the turn of the century, HBK has been investing in its own digital transformation.

“We have been committed to enhancing our technological capabilities as well as technology-based services to our clients,” Mr. Allegretti said. “Internally, technological capabilities are key to being able to pivot quickly and effectively when it comes to unexpected challenges, as it did in 2020 in response to the unprecedented challenges associated with the COVID-19 pandemic.”

HBK provides small to mid-market businesses and their owners and operators a wide range of financial solutions, including accounting, tax and audit services; wealth management; business valuation; corporate finance; forensic accounting; litigation support services; and business consulting, including specific expertise in a number of major industries. The CPA firm dates back to 1949 and added its wealth management practice in 2001. The financial professionals of HBK CPAs & Consultants and HBKS Wealth Advisors serve clients locally out of offices in Columbus, Youngstown and Alliance, Ohio; Pittsburgh, Philadelphia, Erie, Hermitage, Meadville and Blue Bell, Pennsylvania; Princeton, Cherry Hill and Clark, New Jersey; and Fort Myers, Naples, Stuart, Sarasota and West Palm Beach, Florida. HBK CPAs & Consultants and HBKS Wealth Advisors are both Top 100 rated firms. HBK ranks 52nd on Accounting Today’s list of the largest U.S. CPA firms with firm-wide revenues totaling more than $100 million. 

The 2021 4th of July holiday week was marked by two widespread cybersecurity incidents, the Kaseya ransomware attack, and the Windows PrintNightmare (Print Spooler) vulnerability. While Microsoft quickly released an emergency, “out-of-band” patch to the Windows printer vulnerability, many businesses remain exposed to security compromises.

The Windows Print Spooler vulnerability, identified on July 1, could allow an attacker to install programs; view, change, and delete data; and create new accounts with full user rights. Microsoft confirmed the vulnerability existed in all Windows versions, but noted that it could only be exploited by an authenticated user. Then on July 6, Microsoft announced a patch, or “security updates,” for the so-named PrintNightmare. While the fixes did not address Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, Microsoft indicated that updates for those versions were forthcoming. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) first issued guidance encouraging administrators to disable the Windows Print spooler service in domain controllers and systems that do not print, then advised applying the Windows patch immediately upon its release.

More devastating and unresolved is the Kaseya ransomware attack that occurred on July 2. Kaseya is a software solution used by managed service providers and enterprises to remotely manage and monitor computers running Windows, OS X, and Linux operating systems. As such, the supply chain attack gave hackers access to thousands of small and medium-sized businesses, many of which outsource their IT services to managed service providers leveraging this technology and were likely unaware Kaseya was at work in their organizations.

When the incident was first announced, it was estimated that about 40 Kaseya users were victims of the ransomware attack. By Monday, July 5, the number was increased to 50. But as Kaseya is “hidden” through the third-party service provider, it was determined that the attack impacts more than 1,500 businesses. By the time these businesses feel the effects, their service providers, who they would normally turn to for a solution, will also be incapacitated and unable to help.

Businesses have been too dependent on their IT managed service providers, including expecting triage services in the event of a cyberattack while failing to consider the implications of such an incident on their operations. Providers, unable to protect themselves, won’t be able to help their clients. While vendor risk management has taken leaps forward, many small and medium-sized businesses are still catching up, still relying too much on their vendors and failing to vet and monitor their service providers’ cyber posture.

Simply put, your cybersecurity is your responsibility. It starts and ends with you. Of course, you will use consultants and service providers, but get involved, ask questions, and implement a cybersecurity program of your own. Your cyber posture should be complemented and enhanced by these service providers, not reliant on them.

While there is no one-size-fits-all cybersecurity program, you can implement some fundamental measures to reduce risk and help your organization prevent, detect, respond, and recover from cyber incidents. HBK Risk Advisory Services can help. Contact us at (724) 934-5300; or email me at mschiavone@hbkcpa.com.

Businesses are no stranger to analyzing risk. However, often neglected are risk assessments regarding your organization’s cybersecurity posture. Yet, these assessments are an effective way to identify your organization’s vulnerability to cyber-attacks. In fact, many regulatory agencies require annual risk assessments. Even if you are not a technology or cyber expert, you can help improve your organization’s cybersecurity posture as well as meeting any regulatory demands.

HBK Risk Advisory Services Senior Managers Bill Heaven, CPA/CITP, CISA, CSCP and Matt Schiavone, CPA, CISSP, CISA discuss the fundamentals of the risk assessment, the steps to execute your own internal risk assessment, reporting results and how to properly maintain your risk assessment process.

Download the materials.

This month’s risk advisory webinar welcomes Max Borovkov, CEO of Julie Security to discuss Operational Technology (OT), the Internet of Things (IoT), and the impact on the Fourth Industrial Revolution (Industry 4.0). OT and IoT technologies are often ignored and can leave a significant gap in your cyber security program. Join us to learn why these technologies should be secured, the threats plaguing them and what you can do to proactively protect your organization.

Join HBK’s Bill Heaven and cybersecurity expert, Max Borovkov, to learn more about OT and IoT risks as well as cyber defense strategies that you can implement.

Download the materials.

Join me and cybersecurity expert Max Borovkov, CEO of Julie Security, at noon on Wednesday, March 24, for a webinar discussion of the gaps created when controls for Operational Technology (OT), including environmental, industrial, and telecommunications systems, and Internet of Things (IoT) technologies are not implemented. We’ll explain why these technologies should be secured, the threats plaguing them, and what you can do to proactively protect your organization.

The cost of cyber-crime is projected to grow significantly year over year reaching $10.5 trillion by 2025. All companies—not only healthcare providers, manufacturers, and utilities—should implement OT system controls, just as they do for information technology (IT) systems. The top reasons for doing so are as follows:

• Cybersecurity Attacks

  The recent and now infamous SolarWinds supply chain attack demonstrated the extent of devastation an attack can cause, and we know that the incidence of cyber-crime continues on the rise. As well, we’re seeing a greater variety of types of attacks, from the sophisticated Advanced Persistent Threat (APT) to hackers working from their basements using “script kiddies.”

• System Malfunctions

  Computer networks are not immune to Murphy’s Law. Computers are mechanical devices and prone to failure over time. It is wise to monitor them as well as implement controls, such as frequent backups, that ensure system availability.

• Internal/Insider Threats

  According to the Verizon Data Breach Investigations Report, 30 percent of data breaches in 2020 involved internal actors. Such threats are not all malicious; errors and mistakes account for a portion of the total.

• Third-Party Risk

  Our initial 2021 Risk Advisory Webinar stressed the importance of attending to third-party risk. Contractors and vendors with remote access and connectivity to your systems should be monitored. It was access obtained through an HVAC vendor that led to one of the largest credit card breaches in history.

The SolarWinds cybersecurity attack in December impacted the U.S. government and some of the largest companies in the world and could easily be the largest third-party breach in history. This month we will explain the latest on the attack, what you can do to protect your organization, and the repercussions on cybersecurity insurance.

Join HBK’s Bill Heaven and cybersecurity law expert and bestselling author, Joe Brunsman of Chesapeake Professional Liability Brokers, Inc. to learn more about the hack and the how your cybersecurity insurance policy could be affected.

Download materials.