by David Lam, CISSP, CPP and Kimberly Pease, CISSP
Information security, sometimes referred to as cybersecurity, is top of mind for many companies and individuals – and with good reason. There are ever-increasing stories of hacks and breaches of governments, major corporations, and even technology firms themselves. Even so, most employee benefit plans, labor organizations, and third-party administrators have not yet implemented a formal, risk-driven cybersecurity program as aggressively as they should – or even know where to begin. Guiding organizations in understanding what they really need to do, the DOL has finally issued formal guidelines for the cybersecurity challenge; our information security experts have been advising on these type of guidelines for more than 20 years.
Below, we break down the key takeaways and add some of our own tips and information security practices to consider when implementing commercially reasonable cybersecurity governance. (You can read more about the DOL guidance in the press release here: https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414) The first thing to know is that implementing commercially reasonable cybersecurity practices does not have to be an insurmountable task, but it will require leveraging subject-matter experts.
The DOL guidance lists out 12 specific best practices, including:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Overwhelmed? You Don’t Need to Be
Achieving these practices, specifically having a “formal, well documented program,” does not need to be difficult. What you need is a roadmap for implementing these requirements.
How do you achieve this? Simple. You implement risk driven, formal cybersecurity policies and standards that provide the steps for what you need to do and how you need to do it. (Miller Kaplan has a complete and thorough set of policies and standards that we license and which are designed to comply with emerging frameworks, information security laws, regulations and most contractual requirements.)
One of the first steps in getting your cybersecurity program in place is to appoint a senior executive to be in charge, and make sure that that person has the backup from someone with information security subject matter expertise.
It’s important to note that cybersecurity and IT are two very different disciplines, and that in order to have effective and commercially reasonable practices in place, IT actions must be governed by senior leadership as well as cybersecurity policies and practices.
Once policies and standards are in place, the next step is to have an outside third party cybersecurity firm (Miller Kaplan can also help with this process) conduct a gap analysis to identify where an organization is out of compliance with the policies and standards. From there, organizational leadership will have an in-depth understanding of where the biggest risks are to the organization. Then, remediation and culture change can begin in earnest.
Also remember, in this age of phishing attacks and ransomware it is critically important to have a strong incident response and business continuity plan. Many of our clients have been surprised to find out that their backups are not working properly only after an incident, leaving them no options for recovery.
Finally, we want to emphasize the critical importance of an effective cybersecurity training program:
“Employees are often an organization’s weakest link for cybersecurity.” – DOL guidance on Cybersecurity Best Practices
We couldn’t agree more, which is why it is so critical to implement recurring awareness and phishing defense training for your organization. These training sessions educate your team members on how to recognize attack vectors and how to handle a potential threat – these sessions are the first step in developing a culture of security. One of the greatest security risks comes from users who are forced to make their own decisions in the absence of security guidance and direction from leadership.
Remember, the first step to an effective program is creating the plan – those cybersecurity policies and standards. With these in place, your organization can begin its journey of managing its cybersecurity needs, as required by the DOL. Whether you’ve already started the process or are feeling overwhelmed about developing a program from scratch, our information security experts can help.
We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.