A Cybersecurity Preparedness Checklist for Administrators, Trustees, and Boards of Directors
Whether you’re a plan administrator, a plan fiduciary, or you sit on the Board of Directors, nobody wants to be up against the wall of a Department of Labor (DOL) audit.
Unfortunately, for plan fiduciaries not intimately familiar with cybersecurity, the possibility of such an audit grows more imminent each day.
Hacking and ransomware have the potential to create havoc for the assets and sensitive data housed in benefit plans across the country. As a result, in 2021, the DOL scaled up its interest in how administrators are addressing and responding to cybersecurity risks.
It’s never been more important to seriously consider cybersecurity risks, protect your plan and its participants, and take action to prepare for a comprehensive audit.
- The DOL is increasing oversight of cybersecurity as it relates to the prudent protection of benefit plans.
- Recent DOL guidance breaks down 12 best practices to meet DOL expectations.
- It can be argued that the DOL is not issuing only best practices in this case, but adding cybersecurity to the menu of items it will examine during routine plan reviews.
- Plan fiduciaries will need to provide evidence to the DOL to prove what is being done to safeguard plan assets, information, and systems.
- 3 steps companies can take to prepare for an audit include: (1) Document cybersecurity policies and procedures; (2) Engage an auditor to conduct the required third party audit of security controls; (3) Develop a strategic plan for identified deficiencies.
Benefit plans are tempting targets for cyber-criminals because they hold massive monetary assets and sensitive personal data. That’s why the DOL is increasing oversight of cybersecurity as it relates to the prudent protection of benefit plans.
- February 2021: U.S. Government Accountability Office (GAO) reports that the “sharing and storing of [information used to administer a defined contribution retirement plan] can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.”
- April 2021: U.S. Department of Labor (DOL) issues guidance concerning cybersecurity risks for employee benefit plan service providers, fiduciaries, and participants.
- October 2021: Federal court in Chicago rules that employee benefit service providers must comply with a subpoena for documents and communication related to providers’ cybersecurity plans and controls.
New DOL Expectations for Administrators
For plan administrators that have not worked extensively with cybersecurity, it may be unclear what exactly the DOL will request and expect. Recent DOL guidance breaks down the following 12 “best practices”:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable, independent, third-party auditor conduct an annual audit of security controls.
- Ensure strong access control procedures.
- Clearly define and assign information security roles and responsibilities.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate vendor management security reviews and independent security assessments.
- Conduct cybersecurity awareness training annually, at a minimum.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Deploy a formal Incident Response Plan to appropriately respond to and recover from cybersecurity incidents or breaches.
Plan Administrators Must Take Cybersecurity Compliance Seriously
Issuing best practices can sometimes be considered vague. This – along with the long list of responsibilities of plan administrators – can make it tempting for decision-makers to kick the can down the road.
Administrators and fiduciaries would be wise not to let that happen.
It can be argued that the DOL is not issuing only best practices in this case. The DOL added cybersecurity requirements to the menu of items it will examine during routine plan reviews.
Administrators should be prepared to provide:
- An independent, third-party auditor’s report over the design and effectiveness of security controls within their plan’s environment
- Proof of cybersecurity preparedness from the recordkeeper, trustees, payroll providers, and any other businesses involved with the benefit plans
- Detailed documents related to cybersecurity programs that impact plan data
- Documentation related to the ongoing security review of third-party service provider cybersecurity practices, as part of the plan’s overall vendor risk management program
Potential for Personal Liability
One thing is becoming increasingly clear. Cybersecurity is no longer “IT’s problem.” As a fiduciary, you already have a duty to be prudent.
Lapses in cybersecurity can result in claims of negligence with regard to fiduciary responsibilities.
The responsibility for cybersecurity falls upon many individuals – the board of directors, plan administrators, trustees, recordkeepers, service providers responsible for plan-related IT systems, and even plan participants.
It’s abundantly clear that the DOL wants to understand what is being done to safeguard plan assets, information, and systems.
Plan fiduciaries are going to be held accountable for:
- Making prudent decisions about how they approach risk and secure information
- How they hire and keep tabs on service providers
- Constructing, documenting, and preparing for a DOL audit
- How they maintain compliance with cybersecurity best practices and requirements
How Much Liability Is at Stake?
We met with Joseph Lazzarotti, an employee benefits attorney who focuses on compliance, to discuss the application of existing penalty provisions in connection with a DOL audit and other investigatory activities.
According to Mr. Lazzarotti, who is also a Certified Information Privacy Professional, shortly after this guidance was published, the DOL began contacting plan sponsors and fiduciaries and inquiring about cybersecurity practices, including expanding existing and new audit activities to address the guidance.
“We’ll have to see how audit findings will translate into 502(l) penalties. It’s unclear whether the 20 percent rule will be applied to the amount the vendor holds in accounts, the amount of an identity theft, or some other parameter. Although it’s too early to tell, the amounts could be significant,” said Lazzarotti.
3 Steps to Prevent Breaches and Prepare for a Cybersecurity Audit
There is no such thing as perfect when it comes to cybersecurity. It’s a process. And like any process, there will be lessons learned along the way.
Ultimately, a resilient cybersecurity strategy that protects the plan, the participants, and the fiduciaries is the goal. Below are 3 ways you can achieve that goal.
Step 1: Establish/Document Your Cybersecurity Policies and Procedures
Too many plan administrators spend their time trying to outrun a cybersecurity audit or breach. But chances are, it’s only a matter of time before you encounter one or the other. And when the inevitable happens, an avalanche of scrutiny tends to follow.
If you’re unprepared for that compliance scrutiny, it can take anywhere from 12 to 18 months of scrambling to get where you need to be.
Being proactive, expecting a breach and/or an audit, and preparing the proper documentation can save the day.
Document your policies and processes for maintaining compliance with DOL-issued cybersecurity best practices, starting with the following:
- Access control procedures to ensure appropriate authentication and authorization, user provisioning and deprovisioning, complex passwords and Multi-Factor Authentication, and user access reviews, among other best practices outlined in the DOL’s best practices.
- Change management procedures to ensure appropriate development, testing, and approvals of changes prior to migration to production; as well as, segregated environments for development and testing, restricted access for developers to production, appropriate administrator access, and periodic vulnerability and penetration testing.
- Continuity planning that includes an Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan; as well as, testing of the plans at least annually.
- Vendor risk management plan that includes a thorough evaluation and due diligence in vendor selection; as well as, ongoing vendor due diligence to monitor cybersecurity compliance.
Being able to prove you’ve made conscientious efforts to comply with DOL-issued best practices will serve as an effective defense against claims of negligence or imprudence.
Be sure to regularly review and update the policies and procedures for new developments and compliance requirements, as needed, at least annually.
Step 2: Engage an Auditor to Conduct the Required Third Party Audit of Security Controls
The third point in the DOL’s 12 best practices calls for “A Reliable Annual Third Party Audit of Security Controls”:
“As part of its review of an effective audit program, the Employee Benefits Security Administration (EBSA) would expect to see:
- Audit reports, audit files, penetration test reports and supporting documents, and any other analyses or review of the party’s cybersecurity practices by a third party.
- Audits and audit reports prepared and conducted in accordance with appropriate standards.
- Documented corrections of any weaknesses identified in the independent third party analyses.”
Your auditor should be able to provide value that goes beyond merely satisfying the DOL requirements. Engage a team with the necessary experience and skillset. Look for depth and breadth of technical skills and practical cybersecurity knowledge of the current industry landscape and risk environment.
This audit should identify actionable strategies that make meaningful improvements in your cybersecurity plan. Although this might be your first audit, it should produce impactful outcomes and drive ongoing follow-up reviews.
Step 3: Develop a Strategic Plan for Identified Deficiencies
The audit will reveal deficiencies in your cybersecurity controls. Remember, there is no such thing as perfection when it comes to cybersecurity.
The natural next step is to design a remediation plan to bridge the identified gaps in cybersecurity controls and procedures. Your auditor can help you develop a strategic action plan complete with a timeline and milestones.
Common recommendations that result from the audit will satisfy other DOL-issued best practices. For example:
- Vulnerability scans and penetration testing. These procedures uncover insights about risk. They’ll enable you to make cybersecurity-related decisions that are better informed and more proactive.
- Cybersecurity training and phishing simulations. Creating a culture of awareness and accountability is incredibly important. Ensure the whole team is familiar with the different types of online fraud schemes and how to recognize them. Run phishing attack simulations frequently to test employee readiness.
Employee Benefits Security Administration (EBSA), an agency within the Department of Labor, has put plan sponsors and fiduciaries on alert. In addition to maintaining a secure cybersecurity infrastructure, plan fiduciaries must incorporate cybersecurity considerations into all areas of the regular administrative process.
To conduct an independent security controls audit, learn more about this guidance or ensure your cybersecurity policies and practices comply with EBSA’s expectations, contact a member of PBMares’ Cybersecurity and Control Risk Services Team today.