The Employee Benefit Security Administration (EBSA), a division within the U.S. Department of Labor (DOL), recently published a Cybersecurity Program Best Practices document for employer plans subject to the Employee Retirement Income Security Act of 1974 (ERISA). Most employers who provide benefits are subject to ERISA, and the ERISA law provides minimum standards for employer-sponsored insurance plans, retirement plans, and other welfare programs.

The best practices document says, “ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”

As a result, the EBSA decided it was important to provide guidance for recordkeepers, plan fiduciaries, and service providers responsible for plan-related IT systems and data. The best practices document indicates a 12-step program should be considered by employers, including the following steps:

1) Have a formal, well documented cybersecurity program.

2) Conduct prudent annual risk assessments.

3) Have a reliable annual third-party audit of security controls.

4) Clearly define and assign information security roles and responsibilities.

5) Have strong access control procedures.

6) Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

7) Conduct periodic cybersecurity awareness training.

8) Implement and manage a secure system development life cycle (SDLC) program.

9) Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

10) Encrypt sensitive data, stored and in transit.

11) Implement strong technical controls in accordance with best security practices.

12) Appropriately respond to any past cybersecurity incidents.

The best practices document goes into further details for each step. Employers and insurance producers are encouraged to review the document.

Have a question about ERISA?