Written by Kristian Kananen & Christopher Tipper
We have issued white papers on the EBSA’s guidance on their cybersecurity tips and what a service provider needs to do to be hired by the Plan Fiduciaries. This paper discusses the EBSA’s best practices for cybersecurity for Plan Fiduciaries. The EBSA is very aware that having access to retirement plan participant data is like finding the golden ticket for hackers and other bad actors. There are trillions of dollars invested in retirement plans, not to mention the wealth connected to participants’ Personal Identifying Information (PII). It’s a very tempting treasure chest for evil doers.
Since issuing the cybersecurity guidance, DOL auditors have begun incorporating the guidance into their audits of qualified plans. The incorporation includes requesting details as well as documentation. While this may be an information finding procedure as opposed to an enforcement activity, the impact of what they find in these initial audits will likely influence future EBSA cybersecurity regulations. The more compliance they see now, the easier it should be in the future. Maybe. Hopefully.
Most Plan Fiduciaries are also participants in their plans. Working to ensure the safety of plan data is personally beneficial to their business in addition to ensuring the safety of their participants’ information. Interpreting the EBSA’s Best Practices guidance holds the key to determining what this means in the day-to-day operations of the plan for both the Plan Fiduciaries and the service providers.
Have a Formal, Well Documented Cybersecurity Program
Such a cybersecurity program looks at not only the plan sponsor’s internal risks, but the risks that may originate with service providers. It needs to be clear as to what can and cannot be done by those accessing the plan data. The goal of a cybersecurity program is to protect infrastructure, information systems and information from unauthorized access, use or malicious acts.
The program must be designed to identify risks to the plan, to participants and to plan assets. It needs to detect and respond to what the EBSA refers to as cybersecurity events. This paper refers to them as cybersecurity attacks. If there is a cybersecurity attack, the program must have a plan for how to recover from the attack and restore normal operations. Then there is the disclosure to those involved in or impacted by the attack, which is not a conversation anyone wants to have with plan sponsors or clients.
A cybersecurity program needs to clearly document ‘information security policies, procedures, guidelines and standards to protect the security of the IT infrastructure and data stored on the system’. If the plan undergoes a DOL audit, all documentation pertaining to the program, its design, and its operation, will be requested by the auditor.
The cybersecurity program must be under the guidance of Senior Leadership, which means that leadership must understand what the program is designed to do, how it will do it and who will be responsible for the program. While the Plan Fiduciaries retain responsibility for the program in the grand scheme of things, they will need to look to those educated in cybersecurity to design and implement the program under their oversight.
The program is not a set it and forget it and assume those appointed to design and implement it will work in the plan’s best interest. An annual review is required. And since cyberattacks are constantly evolving, the program must be updated periodically.
All parties accessing the cybersecurity program and plan data must understand the terms used in the program. IT people use many acronyms in their work and that tendency flows into communication with those outside the IT world. Definitions and descriptions for all terms and acronyms will help ensure the success of the program.
An independent third-party auditor should review the program and confirm compliance with accepted cybersecurity practices.
The program must document how the system, information and data were assessed to determine the level of security. Knowing the logic and basis for the original program can help future updates be more effective.
Prudent Annual Risk Assessment
Cyber thieves give new meaning to the phrase ‘no rest for the wicked’ and they are relentless. While the EBSA guidance refers to an annual risk assessment, those charged with ensuring the security of the systems, information and data must be ever vigilant.
The 2016 DOL Advisory Council Cybersecurity Report did not limit its recommendation for risk assessment to just annual by recommending ‘a benefit plan cybersecurity strategy and the corresponding processes should reflect changes in the cybersecurity risk environment’. Such changes, we know, are constant. They also recommended that for a cybersecurity program to be successful someone must e the named responsible party to implement a program within the plan sponsor’s organization and to coordinate with the fiduciaries and the service providers.
A risk assessment is a deep dive into the system to identify risks and can be performed by the IT department of the Plan Sponsor, or by an outside consultant. The goal of the assessment is to:
Determine how cybersecurity risks and threats are assessed, evaluated and categorized and what procedures and processes will be used in that determination;
Establish the criteria to evaluate how confidential the information system is, the level of integrity of the system, and how available the information systems and nonpublic information are. It then documents the controls that are in place to address any identified risks;
Describe how the cybersecurity program will reduce the risks identified or accept them as not all risks can be avoided when it comes to meeting retirement plan obligations to participants and government requirements;
Facilitate control revisions in the cybersecurity program to keep pace with technology changes and new threats; and
Be updated to account for changes to information systems, nonpublic information or business operations
A Reliable Annual Third-Party Audit of Security Controls
There is a whole industry that has evolved around cybersecurity for companies and their data. An auditor who is certified through the Information Systems Audit and Control Association (ISACA) has specialized in cybersecurity and must meet continuing education requirements to maintain their certification. Such an auditor would be considered acceptable by any EBSA auditor. The point of the audit is to find and document existing risks, vulnerabilities, and weaknesses from the viewpoint of an outside party and should include:
- An Audit Report of findings conducted according to appropriate standards
- Audit Files supporting the audit report
- Penetration Test Reports and documentation
- Analyses of the Plan Sponsor’s, or Plan Fiduciaries, or Service Providers cybersecurity practices
Clearly Defined and Assigned Information Security Roles and Responsibilities
As the 2016 Council mentioned in their report on cybersecurity, ownership of the assigned responsibilities for security of the system is vital. Senior executives need to manage the cybersecurity program, but they need to hire qualified personnel to initiate it. While large corporations can hire a staff of qualified people, a small employer may have to rely on outside help. There needs to be someone, the Chief Information Security Officer (CISO) employed by the plan sponsor or a consultant, who knows the design and focus of the cybersecurity program to be performed by qualified personnel. Qualified personnel must know what is required and have sufficient experience and certifications. They should undergo initial and periodic background checks as they will have access to all plan data and participant PII. Keeping up to date on current cyberthieves’ shenanigans and innovations through regular updates and training is a given for the CISO. Current knowledge of cybersecurity threats and their countermeasures is vital.
Strong Access Control Procedures
One of the challenges in keeping plan data safe is that it is available online for plan participants, employees of the plan sponsor and service providers. There have been numerous attempts by hackers to access a participant’s account and request distributions or loans. Some have been successful, much to the chagrin of the company whose procedures allowed them to happen. Companies who have successfully turned away the attacks on participants data by bad actors use these attacks as learning opportunities and as an incentive to refine their cybersecurity best practices.
Strong access control procedures will include limiting authorized users, the processes they use to access the data, the devices they can use, the activities and transactions to access to the plan systems, assets, and associated facilities. Only those who need access to the system for their role with the plan, should be allowed to access the system. A Third-Party Administrator who processes distributions, or performs annual administration, has a need to know about the plan and its assets and would meet the criteria for having access. The Plan Fiduciaries and service providers must regularly review access privileges and follow established policy for disabling or deleting a party from access to the plan data.
Everyone associated with the plan, from the participants to the Plan Fiduciaries to service providers must use unique and complex passwords. Participants should be educated about the risks associated with using simple passwords, like “password” or “12345678”.
When a participant logs into a service provider’s network to access his account, multi-factor authentication should be used to ensure the participant is who they say they are.
The activity of authorized users must be monitored to have a chance of detecting unauthorized access, use or tampering with nonpublic information. There also needs to be procedures to ensure a service provider’s sensitive information about a participant or beneficiary matches the plan sponsor’s information. Those committing cyber-fraud have been known to change a participant’s home address and have payments and forms sent without the participant’s knowledge. The ability to confirm the identity of any recipient of funds can thwart the fraud.
Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider are Subject to Appropriate Security Reviews and Independent Security Assessments
The ‘cloud’ provides an easily accessible location for data that is used to provide data to service providers and for service providers to use that data to provide reports and services for plan administration. The tricky part of the cloud is ensuring that only the ‘right’ people access that data. If using, or deciding to use, a cloud service provider, the security posture of that provider needs to be understood. This burden in dealing with third party service providers can be eased by requiring they have a risk assessment. The cloud service provider must know the minimum cybersecurity practices the plan requires and they must perform periodic assessments for potential risks.
At minimum, guidelines and contractual protections should address access control policies and procedures including multi-factor authentication, encryption policies and procedures and notification protocol should a cybersecurity attack directly impacts a customer and their information systems and nonpublic information.
Cybersecurity Awareness Training Conducted at Least Annually for All Personnel and Updated to Reflect Risks Identified by the Most Recent Risk Assessment
Employees are the loose cannons of cybersecurity and, thus, are most at risk of identity theft resulting in unauthorized distributions of their accounts. They need to be educated to be aware of a cybersecurity threat and how to avoid it. Hackers often pose as a plan official, fiduciaries, participants, or beneficiaries to convince employees to provide them with information. Employees need to know how to identify a fake and avoid them.
Secure System Development Life Cycle Program (SDLC)
SDLC is designed to ensure security activities such as penetration testing, code review and architecture analysis are integrated into system development. It should ensure any in-house applications are developed securely and include system alerts when an individual’s account information is changed, require additional validation of an individual’s account information has been changed prior to a request for a distribution and require additional validation for distributions other than a rollover of the entire balance in a participant’s account.
Externally developed applications should be evaluated and tested and include periodic reviews and updates. Regular vulnerability scans and vulnerability management must be part of the SDLC as well as annual penetration tests.
A Business Resiliency Program Which Effectively Addresses Business Continuity, disaster Recovery and Incident Response
A business continuity plan is written and contains the process and procedures to recover, resume and maintain business processes and functions as they were before a cybersecurity attack, after the cybersecurity attack. It must include recovery and resumption of an IT infrastructure, business application and data services if there is a cybersecurity attack. IT staff will rely on the Incident Response Plan to detect, to respond and to recover from security attacks.
An effective business resiliency program defines the internal processes for responding to an attack or a disaster, define plan goals, define documentation and reporting requirements for cybersecurity attacks, clearly define and describe the roles responsibilities and authority levels; describe external and internal communications and information sharing including notification protocols, identify remediation plans for weaknesses in information systems, include how plans will be evaluated and updated following a cybersecurity attack or disaster, and be annually tested.
Encryption of Sensitive Data Stored and in Transit
Data encryption based on current, prudent standards for encryption keys, message authentication and hashing protect the confidentiality and integrity of data.
Strong Technical Controls Implementing Best Security Practices
Technical security controls are primarily implemented and executed by the information system through hardware, software, or firmware components of the system. Best practices include keeping all hardware, software and firmware up to date, using firewalls, intrusion detection and prevention appliances/tools, ensuring antivirus software current and up to date, and performing routine patch management, Segregating the network, system hardening, and routine data backup are included in strong technical controls.
Responsiveness to Cybersecurity Incidents or Breaches
It is likely that every company will experience a cybersecurity breach or incident and if so, their priority should be to protect the plan and its participants. Informing law enforcement, notifying the insurance carrier for their cybersecurity policy, investigating how the incident occurred, giving affected plans and participants information to help prevent or reduce any negative impact on them, honoring any contractual or legal obligations with respect to the breach are the responses expected of Plan Fiduciaries and service providers. It goes without saying that fixing the problems or vulnerabilities that allowed the breach to occur will help prevent a recurrence.
All the issues addressed above are also the subject of a DOL audit of a plan. Maintaining the documentation for the Cybersecurity program, having third party service providers who also document their cybersecurity program will ensure easily passing any audit. In this time of increased cybersecurity threats, every Plan Fiduciary needs a platoon of cybersecurity experts to keep plan data safe.