Department of Labor Issues New Cybersecurity Guidance
By: Birch

On April 14, 2021, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) issued guidance for plan sponsors, fiduciaries, plan participants, and plan beneficiaries on best practices for reducing internal and external cybersecurity risks. This is the first time in EBSA’s history that such guidance has been issued. EBSA has released three cybersecurity tip sheets that discuss cybersecurity program best practices, recommendations for hiring a service provider, and online security guidelines.

Cybersecurity Program Best Practices (available here)

This document includes a detailed set of twelve best practices that organizations should adopt to mitigate cybersecurity risks. The EBSA emphasizes establishing a well-documented, thorough cybersecurity program reinforced by annual risk assessments and third-party audits of security controls. Companies that house data with a third-party service (cloud service, outside vendor, etc.) should be knowledgeable of the service’s practices and assure that they meet cybersecurity requirements. Internally, the EBSA recommends that organizations create cybersecurity programs with well-defined company roles, responsibilities, and user access controls. Employers should provide regular cybersecurity training for their employees, establish a business resiliency program that incorporates business continuity, disaster recovery, and incident response, and take appropriate measures when cybersecurity incidents/breaches are identified. Regular security testing, data encryption, and strong technical controls are important practices for further mitigating cybersecurity risks.

Tips for Hiring a Service Provider (available here)

In this document, the EBSA has compiled six tips to help organizations select service providers with strong cybersecurity practices. Companies should:

  • Compare potential service provider security policies and audit results against industry standards
  • Ask the provider about the level of security standards it has established and how it validates those
    standards
  • Evaluate the provider’s security track record, including how it has responded to any past breaches
  • Determine if the provider has insurance policies that cover losses due to internal and external
    cybersecurity breaches; and
  • Make sure that contracts with any service provider require “ongoing compliance with cybersecurity
    and information security standards.”

Online Security Tips (available here)

This final document includes nine online security tips to help individuals protect their accounts against fraud and loss. Participants should:

  • Register and regularly monitor their online accounts
  • Establish strong, unique passwords
  • Use multi-factor identification to verify accountholder identities
  • Keep participant contact information current
  • Close all inactive accounts
  • Refrain from using public wi-fi to access their accounts
  • Be wary of phishing attempts
  • Use current antivirus software; and
  • Be knowledgeable on how to report identity theft and/or cybersecurity issues if they occur