In today’s interconnected world, where digital technologies are an integral part of our professional and personal lives, safeguarding our digital assets and data has become the utmost priority, especially for employee benefit plan fiduciaries. Implementing a strong cybersecurity framework is crucial in protecting sensitive information, ensuring business continuity, and preserving member trust.
Without the incorporation of data protection, plans and participants are at risk from internal and external cybersecurity threats and breaches – resulting in loss and severe penalties. The DOL requires plan fiduciaries to take prudent precautions to mitigate these risks, as recommended in the Department of Labor’s 12 best practices to maintaining a secured, resilient, and confidential cyber ecosystem.
By this point, most employee benefit plan fiduciaries and staff are very familiar with the DOL Cybersecurity Program 12 Best Practices. We have a few critical points that we hope prove useful when considering how to implement it into your program.
- A formal well-documented cybersecurity program allows you to set the bar for what you need to do. It tells all of your team members and third parties how to keep everyone’s data safe.
- As much as we like to trust others, an essential tenet of information security for the past 40 years has been ‘trust but verify’. That’s why it’s important to not only have a reliable annual third-party audit of security controls, but also require this of your third parties who have access to sensitive data. We have seen many responses to DOL third-party questionnaires that have these practices in place, but when we ask for further details, there is no evidence that they are actually operating as intended.
- We can’t say enough about the DOL’s eighth best practice, implement and manage a secure system development life cycle (SDLC) program. So many companies do not have this in place, and this is not typically reviewed by standard SOC-2 audits or covered by an ISO 27001 compliance certificate. It’s important that if you or one of your third parties creates software, that your subject matter experts weigh in on this practice.
- Finally, you want to make sure that your plan and your third parties can appropriately respond to any cybersecurity incidents. This means having effective business continuity and incident response in place, and that appropriate responses have occurred with any past incidents.
Plan sponsors, service providers, and administrators have a fiduciary responsibility to safely secure the personal and confidential information related to employee benefit plans. However, the 12 DOL Best Practices are not a one-and-done task list. To meet these constantly changing security parameters, organizations need to be prepared to adapt their program and adjust the approach to securing data and confidential information. Remember, your cybersecurity program is only as effective as the people using it, so training your teams via periodic (no less than annual) security awareness training is a minimum bar. We also strongly recommend at least monthly phishing defense training, where users receive unannounced phishing emails with education should they click on one of these false attacks.
Mitigating all cyber risk
In the face of cybersecurity breaches, organizations regardless of size and scope need a commercially reasonable information security program, one that can withstand the scrutiny of an audit against the DOL’s guidelines. We are aware that the DOL is currently conducting such audits and are looking forward to hearing about their outcomes. Following the DOL Best Cybersecurity Practices will not only help to create more secure cyber ecosystems, but it will protect those who these plans serve. Proactive planning, monitoring, and protection have never been more critical in mitigating overall risk.
For more information on safeguarding your cybersecurity ecosystem, please contact us.
We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.