Employee Benefits Plan Cybersecurity Standards
How to Prepare for a DOL Cybersecurity Audit of Your Employee Benefits Plan
Sponsors of employee benefits plans (EBP) have a fiduciary duty to protect plan assets and participant information. These responsibilities now include monitoring and managing EBP cybersecurity. The growing risk of cyberattacks on corporations has led the Department of Labor (DOL) to audit sponsor compliance with EBP cybersecurity standards. Plan fiduciaries must share their cybersecurity policies and procedures, showing how they protect plan assets and participant data from cyberattacks.
In addition, sponsors must drive the ongoing optimization of their EBP cybersecurity framework. Failure to do so risks financial loss, reputational damage and breach of fiduciary responsibilities. In April 2021, the DOL’s Employee Benefits Security Administration issued its guidance for cybersecurity. Shortly after publishing these guidelines, DOL audit inquiries began asking about plan fiduciaries’ compliance.
Readiness is a Fiduciary Responsibility
Complying with DOL guidelines will help mitigate the risk of a cybersecurity audit and any resulting corrective action. If the DOL notifies you of an impending EBP cybersecurity audit, they’ll zero in on these policies, procedures and guidelines:
- Annual cybersecurity risk assessment
- Encryption for data transmission and storage
- Access control, identity management and use of multi-factor authentication
- Cybersecurity training
- Vendor and third-party service provider management policies and controls
- Incident response, disaster recovery and business continuing plans
Notice of an impending DOL audit typically comes with a short lead time. Plan sponsors therefore do well to be ready. They must demonstrate a historical best-practices approach to cybersecurity, documenting all communications, policies and procedures to plan participants and service providers.
Organizations can benchmark their cybersecurity guidelines against best-in-class programs – the National Institute of Standards and Technology offers best-practice cybersecurity guidelines, as well as the Center for Internet Security, which provides best practices for Critical Security Controls.
Compliance Requires Documentation
The DOL offers clear-cut guidance for plan fiduciaries:
- Have a formal, documented cybersecurity program
- Conduct annual risk assessments
- Conduct annual third-party audits
- Maintain clearly defined information security roles and responsibilities
- Use strong access control procedures
- Conduct regular security reviews of assets or data stored in the cloud or managed by third-party service providers
- Implement regular cybersecurity awareness training
- Implement and manage a secure system development lifecycle program (SDLC)
- Develop a business resiliency program for business continuity, disaster recovery and incident response
- Use appropriate data encryption for the storage and transmission of sensitive data
- Maintain strong technical controls
- Respond to cybersecurity incidents quickly and effectively, with documentation
The DOL wants to see comprehensive documentation for all cybersecurity policies and procedures, for both plan participants and service providers. Recent inquiries have also requested details on previous cybersecurity incidents and the resulting corporate response.
Educating Plan Participants about Cybersecurity Policies and Procedures
Effective EBP cybersecurity depends on educated, engaged plan participants. These are basic steps sponsors should share with participants to protect their accounts:
- Routine monitoring of online accounts and activity
- Strong, unique passwords
- Multi-factor authentication
- Keeping personal contact information current
- Closing or deleting inactive accounts
- Avoiding free public wi-fi
- Learning to recognize phishing attacks
- Using anti-malware software and keeping apps and software updated
Plan sponsors are responsible for ensuring that plan participants follow these steps and understand the reasons for their necessity. This requires an ongoing commitment to employee education, for more effective protection against new forms of cyberattack.
Strengthening Service Provider Protections for Data Security
Third-party administrators and service providers can be a weakness in EBP cybersecurity. Thus, it’s imperative for plan sponsors to ensure that vendor cybersecurity policies comply with their best-practices guidelines. Such vendors typically provide a SOC 1 report that addresses financial reporting risk. However, SOC 1 reports are not designed to provide sufficient formation over a company’s cybersecurity controls. Plan sponsors should request a SOC 2 report, addressing security, confidentiality and availability controls. For vendors that don’t have a SOC 2 report, it is the plan sponsor’s responsibility to perform adequate due diligence over the service provider’s cybersecurity practices, such as using a cybersecurity questionnaire and reviewing the service provider’s policies and procedures.
The DOL holds plan sponsors responsible for monitoring and maintaining third-party compliance, meaning that it is critical to conduct regular reviews of SOC reporting and cybersecurity questionnaires as critical tools. Plan sponsors should immediately address any gaps in security and ensure that their internal controls align with the company’s cybersecurity practices.
The Importance of 24/7 Vigilance
Plan sponsors have no choice but to be ready for new forms of cyberattack and DOL inquiries about their cybersecurity policies and procedures. Assume your plan will face both and take the following steps:
- Keep all plan cybersecurity documents, policies, and procedures current.
- Conduct an annual risk assessment
- Maintain an incident response plan and business continuity and disaster recovery plan.
- Test your recovery plans at least annually.
- Resolve any plan participant complaints in a timely manner.
- Consider having a third-party cybersecurity assessment.
If you want to strengthen your EBP cybersecurity practices, we can help. Windham Brannon combines advisory, cybersecurity and IT services for clients in a wide range of industries. Our experience and recommendations can help mitigate the risk of a DOL audit and costly corrective actions.