In April 2021 the United States Department of Labor (DOL) issued its first guidance to help retirement plan sponsors and administrators implement a sound cyber security program. The Department of Labor estimates that over $9 trillion in assets are held in various retirement plans, making them prime targets for hackers.
The Employee Benefits Security Administration (EBSA) released a cyber security guide highlighting 12 security best-practices considered essential for protecting personal information in retirement plans. While this is the first-ever release of cyber practices from the Department of Labor, these practices are not new, and in fact should be part of any sound cyber security program. The key is for organizations to quickly define, document and manage the internal cyber security controls required to implement these practices. This often requires weeks of effort by a cyber security specialist.
Enabling DOL Cyber Security Compliance
Many organizations that fall under the DOL cyber requirements are small business. These smaller organizations do not typically have the skills and resources to develop a cyber security program.. Using ComplianceShield, organizations can quickly develop and defensible cyber security program that addresses all of the key cyber practices within the DOL guidance. By adopting our “Cyber Certification” baseline, organizations can formally document a complete set of internal controls that can be documented, tracked and ultimately verified by a third-party auditor (Item 3)
An essential part of a “well documented” cyber security program (Item 1) is having a complete library of information security policies. In fact, the DOL highlights 18 specific policy topic areas, all of which are covered in the Common Policy Library (CPL). The ComplianceShield policy library will save hundreds of hours for organizations that must address this core requirement. In addition, a library of pre-built security roles and responsibilities (Item 4) enables rapid adoption and documentation of the essential cyber security organization.
Using our Cyber Risk Score methodology, organizations can quickly measure, benchmark and track the results of their cyber programs. Management reports make it easy to identify cyber program gaps and remediate the gaps with expert guidance and pre-built tools and templates. Overall, the ComplianceShield platforms enables management to demonstrate that they are taking cyber security duties seriously.
In addition to the compliance documentation and tracking features, ComplianceShield also involves employees and other personnel in the cyber security process. In integrated User Portal enables the company to distribute regular security awareness training (Item 7) to all employees and track the results.
Summary of Recommended DOL Cyber Practices
The Department of Labor suggests the following key cyber security practices.
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
.Each of these topics is covered within the ComplianceShield and the Common Policy Library (CPL). Two other guides address the security of services providers and general security awareness for retirement plan participants.