Best Practice Guidelines or Mandatory Requests
Although the DOL’s new guidance is considered a “best practice”, do not be mistaken by the syntax, as now that we are over a year into these new rules, it has become clear that these “guidelines” should actually be understood as mandatory requests. During an audit, DOL investigators now request documents and are also including questions pertaining to these guidelines during their interviews, as stated by the DOL, involved parties should produce “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan.”
The “best practices” are over-arching and vague, but they do a thorough job of explaining the areas of risk and where ERISA benefit plans, sponsors, and fiduciaries might need to “tighten up the hatches” to avoid future risk exposure – and the DOL is holding them to it.
The guidance is broken into three different sections issued by the DOL to help affiliated parties navigate these intimidating new tasks:
1. Cyber Security Program Best Practices
A 5-page document that covers 12 important steps for Cyber Security Program Best Practices: 1) Formal, Well Documented Cybersecurity Program, 2) Prudent Annual Risk Assessments, 3) Reliable Annual Third Party Audit of Security Controls, 4) Clearly Defined and Assigned Information Security Roles and Responsibilities, 5) Strong Access Control Procedures, 6) Criteria for Assets or Data Stored in a Cloud or Managed by 3rd-Party Service Providers, 7) Annual Cyber-Security Training, 8) Secure System Development Life Cycle Program, 9) Business Resiliency Program with Consideration of Business Continuity, Disaster Recovery, and Incident Response, 10) Sensitive Data Encryption, 11) Strong Technical Controls, and 12) Response to Cybersecurity Incidents or Breaches.
The DOL guidance although not explicitly stated, indirectly refers to the Functions of NIST CSF Framework: These five functions are: Identify, Protect, Detect, Respond, and Recover.
2. Tips for Hiring a Service Provider
A two-page document that assists with questions to ask and areas to look for when forming agreements with ERISA plan service providers. This document aids with pertinent topics such as pre-determining what party would be at fault if there is a breach/data loss incident and ensuring there is proper insurance coverage for said incidents.
3. Online Security Tips
A two-page document made by the DOL to educate ERISA plan participants about account and password best practices and safe-keeping.
Since the deployment of the DOL’s Cybersecurity guidance for employee retirement plans, fiduciaries now have an obligation to ensure proper mitigation of cybersecurity risks. The DOL is not only focused on the policies and procedures that are put into place but is also focused on their response plans if/when cyber-incidents occur.
The DOL provided this guidance as a resource to assist with ERISA plan, sponsor, and fiduciaries’ risk mitigation efforts but left some room for interpretation.