Highlights from the July 27, 2022, webinar hosted by William J. Heaven, Senior Director, HBK Risk Advisory Services, with guest Joel Van Horn, CAP/CITP, CISA, Senior Manager, HBK Risk Advisory Services
Watch On Demand.
While the discussion relates to retirement plans, the information and tips apply broadly to industries and businesses.
EBSA Guidance split into three forms:
1. Tips for hiring a service provider
2. Cybersecurity program best practices
3. Online security tips
Employee Retirement Income Security Act of 1974 (ERISA) sets the minimum standards for most voluntarily established benefit plans, like 401ks and 403bs. ERISA is split into four titles, including Title I: rules for reporting, disclosures, vesting, participation, and other regulations specific to retirement plans. It is administered by the U.S. Department of Labor (DOL), which is in charge of enforcing Title 1.
The IRS is involved with ERISA, but if there is an issue that involves plan participants the DOL can step in.
ERISA established fiduciary responsibilities and defines them.
A fiduciary is a person or entity with discretionary authority to control and manage the operation and administration of a benefit plan covered by ERISA.
Fiduciary responsibilities include:
Acting solely in the interests of plan participants and beneficiaries with the exclusive purpose of providing benefits
Carrying out their duties prudently
Following the plan’s overarching document guiding how the plan will be administered
Diversifying plan investments properly
Employee Benefits Security Administration (EBSA):
Balances proactive enforcement with compliance assistance
Is responsible for administering and enforcing provisions of ERISA: reporting and disclosure, fiduciary responsibilities and ultimately acting as a watchdog for the plans
EBSA issued cybersecurity guidance in 2021 to help safeguard retirement benefits and personal information:
Applies to plan sponsors, fiduciaries, record keepers and participants
Emphasizes the importance plan sponsors and fiduciaries must put on cybersecurity
Meant to complement existing EBSA regulations on electronic storage of records, and the electronic delivery of disclosures to plan participant and beneficiaries
Help defend against possible future claims brought under ERISA or data breach laws
EBSA Form 1: Tips for hiring a service provider
Many functions of plans are outsourced to third-party service providers, who should have strong cybersecurity programs.
Information security standards
Allow the organization to coordinate and enforce a security program and communicate that to third parties
Audit the results of the program – test the standards and ensure they are implemented
Compare your standards to industry standards for benefit plans
SOC 2 is a comprehensive report on third parties that lists procedures in place, tests the procedures, and lists any exception and how management will address them.
Validation of practices
How are vendors validating their practices?
What levels of security standards have they met and implemented?
Are they using a third party to validate?
Track vendor’s record in their industry
Public information on security breaches
Other litigation
Legal proceedings related to vendor’s services
Ask about data breaches
SOC 2 report will have some information
What happened and how they responded
Insurance policies
Coverage for losses by cybersecurity and identify the breaches from internal as well as external threats
Service provider contracts
Require ongoing cybersecurity compliance
Beware of provisions that limit responsibility for breaches and amend those
Include terms for enhancing cybersecurity protection:
-
- information security reporting
- clear provisions related to use and sharing of information and confidentiality
- notification of cybersecurity breaches
- compliance with records retention and destruction, privacy and other information security laws
- cybersecurity insurance policies in place
EBSA Form 2: best practices
Have a formal, well-documented cybersecurity program:
Establish strong policies and guidelines: base on NIST or other cybersecurity framework
Conduct prudent annual risk assessments
Prioritize according to biggest risks
Keep current on where highest risks exist
Have a reliable, annual third-party audit of security controls.
Clearly define and assign information security roles and responsibilities.
Must be taken seriously by top management for success
Have strong access control procedures.
Assign responsibilities on lease/privilege
Review system access at least quarterly
Name/user ID’s
Dual or multi-factor authentication
Ensure that any assets or data stored in a cloud or managed by a third part service provider are subject to appropriate security reviews and independent assessments.
Conduct periodic cybersecurity awareness training.
Implement a secure system development life cycle program.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Encrypt sensitive data, stores and in transit.
Starting with an inventory of what you have
Implement and update strong technical controls in accordance with best practices.
Appropriately respond to any past cybersecurity incidents:
Fix the problems that caused the breach
EBSA Form 3: Online security tips
Register, set up, and routinely monitor your online account.
Use strong and unique passwords.
No dictionary words
Combination of numbers, letters, and special characters
Nothing in sequence
14 or more characters
Passwords not written down
Consider a secure password manager
Don’t respond to email requests for account numbers or personal information
Use multi-factor authentication.
Keep personal and contact information current.
Close or delete unused accounts.
Be wary of free wi-fi; don’t log into accounts from public wi-fi.
Beware of phishing attacks: how most attacks originate.
Use antivirus software and keep apps and software current.
Know where and how to report identity theft and cybersecurity incidents, internally and externally.
Following EBSA best practices will help you ensure the fiduciary responsibilities required by ERISA are met.