On April 14, 2021, the U.S. Department of Labor (DOL) provided new cybersecurity guidance for retirement plan sponsors, plan fiduciaries, record keepers, and plan participants. Recognizing that plans covered by the Employee Retirement Income Security Act (ERISA) can hold millions of dollars in assets and include personal information on plan participants, the DOL has released a set of 12 cybersecurity best practices that should be applied to a Plan’s processes and systems when considering its cybersecurity risk.
Although “best practices” are not generally understood to mean “required,” the DOL is reported to have begun issuing information and document requests around record holders’ cybersecurity programs. To an entity that has not kept pace with identifying and mitigating cybersecurity threats (and even those that have), responding to record requests can be confusing and daunting. Couple these requests with the understanding that the DOL’s best practices are intended to cover large, complex organizations, as well as small companies that may have limited resources and no in-house IT staff, one begins to see the challenges of 1) standing up a robust cybersecurity program and 2) ensuring the DOL’s new standards are properly met.
The good news is that the 12 best practices are consistent with common cybersecurity and information security standards and are closely aligned with the regulatory standards of the broader financial services industry. Guidance from the Federal Financial Institutions Examination Council (ffiec.gov) and the Federal Deposit Insurance Corporation (fdic.gov) are excellent places to start researching.
To help fiduciaries address the DOL’s standards, here is a high-level overview of several key provisions of the Cybersecurity Program Best Practices document that might be of interest as fiduciaries implement these standards. The following sections address an entity’s governance structure for the implementation of a strong cybersecurity program. In a future article, we will address other areas from the DOL’s Cybersecurity Best Practices document, which emphasize operational and security controls.
Formal, Well Documented Cybersecurity Program: In auditing, we have a saying that if it isn’t written down, it didn’t happen. Similarly, the basis for implementing effective cybersecurity controls starts with having a written plan. A documented Cybersecurity Program includes several key policies that are reviewed and updated periodically (no less than annually) and reflect the cybersecurity standards under which the fiduciary will operate. The policies should be approved by an appropriate level of management or governing body. The Program should also document standard operating procedures for typical cybersecurity activities, along with system configurations such as network maps and data flow diagrams.
Prudent Annual Risk Assessments: When designing controls to protect your customers’ information, it is helpful to know the threats to that information. The risk assessment process is valuable because it helps management brainstorm all possible threats to the information. It will certainly include a security threat assessment based on current events, but should also consider physical risks (i.e., document shredding and hard drive destruction), availability risks (are backups adequate and safely protected), even industry related risks (does the regulatory environment warrant changes to our cybersecurity program). Each risk should be evaluated for impact and likelihood, and consideration should be given to existing controls which reduce the risks to an acceptable level. If management determines that a risk is too high, compensating controls should be designed to bring the risk to an acceptable level.
Reliable Annual Third-Party Audit of Security Controls: When new guidance or regulations arise, often companies turn to their outsourced IT consultant to interpret the technology requirement. The trouble with that model is the IT consultant’s focus is (rightly) to make their customer (you) happy by making the technology work. The DOL’s best practice for an annual, independent third-party audit adds a layer of accountability for ensuring security controls are designed and operating effectively. It also has the benefit of providing management with an alternative sounding board and differing perspective from their IT consultant when securing a system or approaching a cybersecurity control. An annual audit may sound too frequent, but the nature of cybersecurity risk changes so rapidly that a system might be secure today, but a new vulnerability may be introduced tomorrow, making yesterday’s security control obsolete.
Have an effective business resiliency program addressing business continuity, disaster recovery, and Incident Response: Business resiliency is the process of creating policies and controls which ensure a company’s systems and data will be available and accurate when needed. This is especially important with the rise in ransomware attacks targeting nearly every industry, including financial services. A strong business resiliency addresses risks around system downtime, but also how a company responds to a cybersecurity incident by designing and implementing an Incident Response Plan.
In ERISA-regulated plans (and one could argue, in all businesses) cybersecurity risk should be considered as important a risk as markets, interest rates, or competing firms. Keep in mind there is no perfect framework, software, process, or control that guarantees a perfectly secured system. However, implementing a safe and sound cybersecurity program does not need to be challenging or complex. The nature of the DOL’s recommendations is focused on cybersecurity hygiene basics, and a great first step is to recognize the risks to manage them accordingly.
Additional Resources: Department of Labor’s Cybersecurity Best Practices; CIS Controls; NIST Cybersecurity Framework
For questions about cybersecurity standards and best practices, contact Bryan Newlin, CPA, CISA, CCSK. Bryan is the Principal for YHB’s Risk Advisory Services (RAS) practice. The RAS practice is a team of technologists who help global and local companies improve their cybersecurity posture by applying well known regulatory and IT control frameworks. We work with financial institutions, contact centers, business process outsourcing companies, tech startups, and others.
For questions about YHB’s Employee Benefit Plan Audit practice, contact Erica Young, CPA. Erica is an Audit Manager and is a champion of our Employee Benefit Plans audits, having significant experience working with Defined Contribution, Money Purchase Plans, 403(b), ESOP, and Defined Benefit. YHB’s EBP audit professionals are highly experienced in auditing various types of retirement plans for businesses of all sizes in many industries and are currently performing audit services for 100 different nonprofits, public and private companies.