Highlights from the July 27, 2022, webinar hosted by William J. Heaven, Senior Director, HBK Risk Advisory Services, with guest Joel Van Horn, CAP/CITP, CISA, Senior Manager, HBK Risk Advisory Services
While the discussion relates to retirement plans, the information and tips apply broadly to industries and businesses.
EBSA Guidance split into three forms:
1. Tips for hiring a service provider
2. Cybersecurity program best practices
3. Online security tips
Employee Retirement Income Security Act of 1974 (ERISA) sets the minimum standards for most voluntarily established benefit plans, like 401ks and 403bs. ERISA is split into four titles, including Title I: rules for reporting, disclosures, vesting, participation, and other regulations specific to retirement plans. It is administered by the U.S. Department of Labor (DOL), which is in charge of enforcing Title 1.
The IRS is involved with ERISA, but if there is an issue that involves plan participants the DOL can step in.
ERISA established fiduciary responsibilities and defines them.
A fiduciary is a person or entity with discretionary authority to control and manage the operation and administration of a benefit plan covered by ERISA.
Fiduciary responsibilities include:
Employee Benefits Security Administration (EBSA):
EBSA issued cybersecurity guidance in 2021 to help safeguard retirement benefits and personal information:
EBSA Form 1: Tips for hiring a service provider
Many functions of plans are outsourced to third-party service providers, who should have strong cybersecurity programs.
Information security standards
SOC 2 is a comprehensive report on third parties that lists procedures in place, tests the procedures, and lists any exception and how management will address them.
Validation of practices
Track vendor’s record in their industry
Ask about data breaches
Service provider contracts
- information security reporting
- clear provisions related to use and sharing of information and confidentiality
- notification of cybersecurity breaches
- compliance with records retention and destruction, privacy and other information security laws
- cybersecurity insurance policies in place
EBSA Form 2: best practices
Have a formal, well-documented cybersecurity program:
Have a reliable, annual third-party audit of security controls.
Clearly define and assign information security roles and responsibilities.
Have strong access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third part service provider are subject to appropriate security reviews and independent assessments.
Conduct periodic cybersecurity awareness training.
Implement a secure system development life cycle program.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Encrypt sensitive data, stores and in transit.
Implement and update strong technical controls in accordance with best practices.
Appropriately respond to any past cybersecurity incidents:
Register, set up, and routinely monitor your online account.
Use strong and unique passwords.
Use multi-factor authentication.
Keep personal and contact information current.
Close or delete unused accounts.
Be wary of free wi-fi; don’t log into accounts from public wi-fi.
Beware of phishing attacks: how most attacks originate.
Use antivirus software and keep apps and software current.
Know where and how to report identity theft and cybersecurity incidents, internally and externally.
Following EBSA best practices will help you ensure the fiduciary responsibilities required by ERISA are met.