The Department of Labor (DoL) recently released new guidelines on protecting $9.3 trillion in retirement benefits for over 34 million participants in contribution plans by making sure proper cybersecurity best practices are in place.
DoL’s Employee Benefits Security Administration (EBSA) put together best practices for plan-related IT systems and data to be used by recordkeepers and other service providers responsible for these systems, and for plan fiduciaries making decisions on service providers they should hire.
“Responsible plan fiduciaries have an obligation to ensure proper mitigation for cybersecurity risks,” the guidance states.
According to the guidance, plans’ service providers should do the following:
- “Have a formal, well documented cybersecurity program;
- Conduct prudent annual risk assessments;
- Have a reliable annual third-party audit of security controls;
- Clearly define and assign information security roles and responsibilities;
- Have strong access control procedures;
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
- Conduct periodic cybersecurity awareness training;
- Implement and manage a secure system development life cycle (SDLC) program;
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- Encrypt sensitive data, stored and in transit;
- Implement strong technical controls in accordance with best security practices; and
- Appropriately respond to any past cybersecurity incidents.”
According to EBSA, a “sound cybersecurity program identifies and assesses internal and external cybersecurity risks” that threaten stored nonpublic information.