As cyberattacks and cybercriminals are becoming increasingly sophisticated, safeguarding employee benefit plans, including health and welfare plans, is crucial.
The Employee Benefits Security Administration of the U.S. Department of Labor has published an update to its guidance initially issued in April 2021 on cybersecurity best practices for plan sponsors and fiduciaries.
The guidance has 12 recommendations. A summary of each follows:
No. 1: Establish a Formal Cybersecurity Program. This includes developing and maintaining a program that identifies and assesses internal and external cybersecurity risks.
No. 2: Conduct Annual Risk Assessments. Plan sponsors should regularly evaluate potential threats to their IT infrastructure.
No 3: Third-Party Audits: Independent auditors should assess a plan sponsors security posture. This can help identify any vulnerabilities and weaknesses from an unbiased perspective.
No. 4: Clearly Define and Assign Information Security Roles and Responsibilities. It is important for plan sponsors to define roles and duties within the organization to effectively manage the cybersecurity program.
No. 5: Implement Strong Access Controls. Plan sponsors should use multifactor authentication and limit personnel access to sensitive data and systems.
No. 6: Use Cloud or Managed Service Providers. This includes ensuring that all third-party service providers undergo security assessments to ensure that plan participants’ sensitive data is adequately protected.
No. 7: Provide Cybersecurity Awareness Training. It is important for plan sponsors to continually and frequently educate all employees on cybersecurity risks.
No. 8: Develop a Secure System Development Life Cycle Program. This includes incorporating security measures throughout the development and maintenance of systems to prevent vulnerabilities.
No. 9: Implement a Business Resiliency Program. Establish business continuity, disaster recovery, and incident response plans, all of which can help plan sponsors and fiduciaries to quickly address and recover from cybersecurity attacks.
No. 10: Encrypt Sensitive Data. This includes encrypting all data both at rest and in transit to prevent unauthorized disclosure.
No. 11: Implement Strong Technical Controls. Plan sponsors should keep hardware, software, and firmware models up to date to ensure there are no vulnerabilities. Additionally, it is important to have up-to-date backups and network segmentation.
No. 12: Appropriately Respond to Any Past Cybersecurity Incident. Have protocols in place when notifying law enforcement, investigating the incident and hardening the IT infrastructure to prevent a security incident from reoccurring. In addition, plan sponsors should have a plan for determining when to notify affected individuals, as well as state and federal regulators.
The guidance is meant to help plan sponsors and fiduciaries enhance their cybersecurity posture. By adhering to these guidelines, plan sponsors and fiduciaries demonstrate their commitment to safeguarding sensitive information.
To learn more about the guidance, please click here.
The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
PartnerLauren guides clients through data security incidents, leading initial assessments and coordinating forensic and remediation efforts to contain, investigate, and resolve issues. She helps clients develop privacy, incident ...
Associate AttorneyAs a member of our rapid response team, Victoria assists clients respond to a variety of cyberattacks including business email compromises, fraudulent wire transfers and ACH payments, ransomware and other extortionate attacks ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
