As the number of cybersecurity incidents continue to climb, it is important for businesses to maintain and improve cybersecurity processes and controls. Cybercriminals are constantly developing new techniques for stealing personally identifiable information (PII) such as social security numbers, bank account information, credit card account numbers, name, address, date of birth details, and more. According to the Employee Benefits Security Administration (EBSA), there are more than 140 million retirement plans with over $9 trillion in assets currently in operation. If this data is not properly protected through appropriate cybersecurity measures, it can create exposure for plan fiduciaries. Given this, the Department of Labor (DOL) recently released guidance on cybersecurity program best practices to help plan fiduciaries when selecting third-party plan vendors. To help clients, prospects, and others, Selden Fox has provided a summary of the key details below.
Cybersecurity Guidance Summary
Formal, Well Documented, Cybersecurity Program
When evaluating a potential vendor, it is important to ensure there is a well-documented cybersecurity program in place to protect plan participants. The plan should include components that:
- Protect the infrastructure, information systems and information itself from unauthorized access or other criminal acts. The vendor’s plan should allow them to identify system risks, detect, and respond to cybersecurity issues, recover from the unexpected, disclose the breach as appropriate, restore normal operations and services, and be reviewed at least annually by a third-party auditor.
- Establish strong security policies. This includes guidelines that are approved by senior leadership, reviewed at least annually, and are adjusted to ensure maximum protection. There should also be an annual independent audit to confirm compliance with established standards.
- Formal policies and procedures that govern plan components. This may include data classification, business continuity and disaster recovery, asset management, risk management, physical security and environmental controls, data privacy, cybersecurity awareness training and data encryption.
Independent Third-Party Audit
Ensure the vendor undergoes a regular independent audit of cybersecurity controls and policies. An unbiased audit creates a clear picture of the existing risks, vulnerabilities and weaknesses that may need to be addressed. It is common for these audits to include a summary report, penetration testing reports and supporting documentation. The vendor should document how they’ve responded to all issues identified in the independent audit analysis.
Strong Access Control Procedures
Ensure potential vendors have controls that ensures user authentication and authorization. There are several best practices for access control which include:
- Access privileges are limited on the individual’s role (general user, administrator, etc.) and comply with the need-to-access principle. It is also important these privileges are reviewed at least quarterly.
- All employees have unique and complex passwords.
- Uses multi-factor authentication when possible.
- Policies and procedures to monitor the activity of authorized users and detect unauthorized access, use of, or tampering with sensitive data.
- Procedures that ensure participant PII in the service providers records matches the same plan information.
Cybersecurity Training Programs
Since employees are often the weakest link when it comes to data protection, it is important to review a provider’s employee cybersecurity training programs. Remember a comprehensive cybersecurity training program educates everyone to recognize attack vectors, help prevent cyber-attacks and how to respond to potential threats. The program should focus on current trends to exploit unauthorized access to systems. The more training conducted the less likely it is an employee will make a mistake that endangers plan data.
Cybersecurity Breach Response Plan
Although it is never expected, if a breach does occur, the provider should have a set of established procedures outlining how the organization will respond. Key items to look for include identifying when law enforcement is contacted, when user notification will be made, incident investigation, when and how breach notification will be made and steps the provider will take to fix the breach and prevent it from happening again.
The DOL guidance provides important technical information to help Chicago plan fiduciaries carefully evaluate potential vendors. To protect plan data, it is essential to use the guidance as starting point when reviewing cybersecurity measures. If you have questions about the information outlined above or need assistance with a 401k or other benefit plan audit, Selden Fox can help. For additional information call us at 630.954.1400 or click here to contact us. We look forward to speaking with you soon.