Holding just under $11 trillion in assets, retirement plans are a particularly enticing target for cybercriminals. Through both audits and best practice guidance, the Department of Labor (DOL) is encouraging businesses that sponsor retirement plans to pay attention to managing cybersecurity risk. In this episode of AuditTalk, Jon Powell, RACS Partner at Moore Colson, and Candace Jackson, Business Assurance Partner at Moore Colson dive into the cybersecurity guidance from the DOL, including:
- Overview of the DOL cybersecurity guidelines — the “Big 12” for service providers.
- Cybersecurity best practices related to employee benefit plans for plan sponsors, plan service providers, and plan participants.
- Tools and strategies for implementing these cybersecurity guidelines.
Watch the full conversation, and read the can’t-miss highlights below.
Department of Labor Cybersecurity Program Best Practices
Candace Jackson: In April of 2021, the Department of Labor came out with what they’re terming cybersecurity best practices. We’re calling these the “Big 12” for service providers — what they need to be doing and what they’re going to be asked about.
1. Have a Formal, Well-Documented Cybersecurity Program
Jon Powell: The first step is having a cybersecurity program. Seems pretty basic, that’s why it’s the first one. It should enable the organization to identify, protect, recover, disclose, and restore — that sounds like NIST, and that sounds like looking at your cybersecurity program from start to finish and as it circularly refreshes itself.
2. Conduct Prudent Annual Risk Assessments
Jon Powell: These are great steps for a risk assessment in general. How do we identify risk as an organization? How are we protecting the confidentiality, integrity, and availability of our systems and of our data? As you go through a risk assessment, you want to know, what is the impact? What’s the potential velocity? How are we going to mitigate the risk? Are we going to accept the risk? This list of steps continues to speak to the robustness of the effort that you need — you should have a real risk assessment process in place that also refreshes itself on an annual or more frequent basis.
3. Reliable Third-Party Audit of Security Controls
Jon Powell: “Third-party evidence is a lot better evidence than information provided directly from a source. Inside the ecosystem of the employee benefit plan, having a third-party audit of a SOC report and doing a mapping from the SOC 2 criteria to the big 12 — it’s pretty close. You could add a few controls that are a little nonstandard and you could meet all of those requirements with the SOC 2 report. This could also include other external audits that have been done, maybe a cybersecurity analysis, just a more narrow focus, maybe a penetration test or vulnerability analysis. Anything done by an outside party is going to be more reliable evidence and easier to provide to the DOL should they come calling.”
4. Clearly Defined and Assigned Info Security Roles and Responsibilities
Jon Powell: “What they also want to see is that there’s good tone at the top. You should be sensing governance throughout this list. Do we have a CISO? If we don’t have a CISO, who’s in charge of managing the information systems? Is that the right person? What are their credentials?
5. Have Strong Access Control Procedures
Jon Powell: For IT auditors, access control procedures are right out of the standard playbook. Good protection includes complex passphrases with MFA. Reviewing user access on a periodic basis and having policies in place. I wouldn’t have expected to see monitoring of both authorized and unauthorized activity, but that’s absolutely important and certainly would be present in a mature cybersecurity environment. The participant itself should be immutable and should move throughout the environment and should be the same. What procedures are we taking to make sure that I have the right address? The date of birth doesn’t change, but maybe your name changes. Anything that could change in that file, how are we making sure that’s immutable as it moves through the process?
6. Any Assets or Data Stored in a Cloud Environment or Managed by a Third-Party Service Provider Must be Subject to Appropriate Security Reviews
I’d venture to say that everybody here today is using the cloud in some form or fashion. You have a Gmail or Outlook account — maybe it’s not you personally, but your organization certainly is using AWS or Azure, Yardi, ADP, all these big, hosted solutions. You have a payroll provider. If you’re in the ecosystem of the employee benefit plan, we need to make sure that that data is also secure. How are we addressing third-party providers that have access to our data?
7. Conduct Periodic Cybersecurity Awareness Training — And Update to Reflect New Risks
Jon Powell: Another fan favorite, cybersecurity training. It’s one of those things like your parents telling you not to do something over and over — like I tell my two-year-old, “Hey, don’t stick your finger in the electrical socket.” It’s good to have those reminders on a periodic basis, as well as doing phishing simulations.
8. Implement and Manage a System Development Life Cycle (SDLC) Program
Jon Powell: Secure SDLC is another example of how well thought out and developed this list is. For those that aren’t familiar, we’ve been developing software for a really long time but at the onset, not always as concerned about making sure security is built in. If you try to add security onto an application that’s been out there for 15 or 20 years, it’s really hard to do well. So, if we are developing an application or we have a third party that’s developing their own software, or is hosting something that we’re leveraging — what is their secure software development life cycle? What are they doing to ensure that Log4j or other types of code that are known to be breachable are not buried in there? Again, it shows the robustness of the program to be asking about secure SDLC.
9. Have an Effective Business Resiliency Program Addressing Business Continuity, Disaster Recovery, and Incident Response
Jon Powell: This is my favorite one because I really the term “business resiliency program.” It combines PR, business continuity, and incident response plans all in one. How will the business be resilient? Is it part of the ecosystem that we are directly engaged with? You shouldn’t just have the plan, but you should also do robust testing on an annual basis at least to make sure that you can recover in the face of an incident.
10. Encrypt Sensitive Data, Stored and in Transit
Jon Powell: Encryption kind of goes without saying. What encryption is in place for our data at rest and for our data in transit?
11. Implement Strong Technical Controls in Accordance With Best Security Practices
Jon Powell: For the IT nerds out there, the strong technical controls. This can run the gamut. They don’t list an exhaustive list, but things that we would know like network segmentation, system hardening, how are we doing backups? What is our patch management policy for our laptops and our servers? What are we doing for our firewalls and our endpoints to make sure that those are up to date with the latest firmware? How do we disable the admin account? Things like that.
12. Appropriately Respond to Past Cybersecurity Incidents
Jon Powell: Finally, we come to the prior cybersecurity incidents. If you’ve got a good plan that defines what should happen and you’ve got a business resiliency plan as mentioned in number nine, this should be second nature. If you’ve had a breach, how did that go? If you have not, do you have a good plan that addresses that?
Plan Sponsor Suggested Actions
Candace Jackson: So we’ve got some plan sponsor suggested actions. What we’ve been talking about really relates to the service providers. These are things that the plan sponsor should be doing to review DOL guidance and enhance cybersecurity practices.
Preparedness: Consider the adoption of a cybersecurity policy.
Candace Jackson: When looking at preparedness, consider the adoption of a cybersecurity policy, including general frameworks that assist the plan fiduciaries in carrying out your assessment prudently to ensure the safety and confidentiality of participant data. This includes internal security, external security, selection and monitoring of service providers, education and training, breach response, fidelity bond and cybersecurity insurance covering your plan, and periodic review of all of those policies.
Contracting: Review and enhance cybersecurity terms with your vendors.
Candace Jackson: Understand their standards for handling participant data and the reasonable use of participant data. We’ve seen some service providers get in trouble for using participant data to market other services to them. Maybe they’re using participant data and they’re sending them some type of health insurance offerings or life insurance policies and they get in trouble because it may be within their organization, but did you have the consent to share that data within your organization to target them for additional services? The DOL does want you to have an understanding of how the companies are using the participant data that they’re holding.
You also want to understand what their remediation plan is, what their independent audits look like, and what they’re covered in terms of indemnification and insurance. If something happens, whose responsibility is it? We’ve seen a lot of the larger service providers offer cybersecurity guarantees. Basically, if the participant is monitoring their account, they make them aware of the breach in a timely manner, then the service provider will put that money back into their account, and then they’ll go after the criminals, versus it falling as a responsibility of the individual. Again, sometimes that can be, are you sharing your password with someone? Are you being unreasonable with the security measures you’re taking? If you’re doing the things that you should be doing, a lot of the service providers will take ownership of those breaches.
Plan Sponsor should request that each of the following fiduciaries /Service Providers complete a questionnaire (at a minimum) or otherwise assert/attest their alignment with the 12 Cybersecurity Program Best Practices
Candace Jackson: I’ve seen some of our clients sending those “Big 12” in a question format to their service provider to say, “What are your policies and what are you doing around these 12 areas?” For the access to the assets, the record keeper and the custodian are where you’re going to see the most risk because they can get access to the funds. With a third-party administrator or payroll provider, the access there is more limited to PII-type information. You can consider accepting a SOC 2 in lieu of the “Big 12”, a lot of the payroll providers are offering those and understanding how they’re encrypting the data that they’re obtaining or that they have.
Plan Sponsors should communicate best practices to participants
Candace Jackson: The plan sponsors at a minimum should be communicating best practices to participants. For individuals, they need to register, set up, and routinely monitor their online accounts. Use strong and unique passwords and use multifactor authentication. Keep personal contact information current, close or delete unused accounts. Beware of free Wi-Fi — don’t log into your retirement account while you’re sitting at Starbucks. Beware of phishing attacks, use antivirus software, and keep apps and software current. Know how to report identity theft and cybersecurity incidents — a lot of the record keepers do lay out what to do if you notice something going on with your account that you need to notify them about.
Plan Sponsors should also self-assess against the 12 Cybersecurity Program Best Practices.
Candace Jackson: We’ve talked a lot about service providers, but for plan sponsors it’s also a great practice to self-assess against the “Big 12.” Large organizations can have very formalized IT risk assessments and policies and procedures based on the size of the plan sponsor. Those requirements might be scalable based on the size of the organization, but will still need to be aware of the risk and addressing those risks to the best of their ability.
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.