Published in HR Tech Outlook, June 2023.
By: Dorothy Cociu, RHU, REBC, GBA, RPA, President, Advanced Benefit Consulting & Insurance Services, Inc.
Ask and you shall receive? Well, although that does not happen as frequently as we’d like, sometimes we are surprised, and it does. In the spring (April) of 2021, the US Department of Labor (DOL) released a much needed (although maybe not wanted by some) guidance package on cybersecurity for plan sponsors and plan fiduciaries. This release didn’t get as much press or attention as some releases; perhaps because COVID was still very much a part of our everyday lives at that time. One thing COVID did was bring out more and more bad actors involved with ransomware, malware and other cyber and online threats, perhaps in part because more and more people were working remotely, and where there are remote employees, there is a greater chance of risk and exposure to cyber- attacks. In some cases, examples made national and worldwide news, and affected many of our daily lives. But attacks can and do happen in our offices as well. Keep in mind, where there is data, there is risk of someone gaining access to that data.
Most of us remember the Colonial Pipeline ransomware event in May, 2021. This seemed to be the first of many cyber attacks hitting us that year, but this one really hit home to many. As you’ll recall, the Colonial attack is the largest publicly disclosed cyber-attack against critical infrastructure in the United States, attacking the company’s IT systems and causing fuel shortages for weeks in the eastern United States. We found out later in news reports that the attack was due to a leaked password, an inactive VPN account and a lack of multifactor authentication. You may also recall that Colonial paid a ransom of millions of dollars to get their systems back up and running. Lucky for them, much of those funds were actually recovered through the tracing of cryptocurrency. Still, the breach could have been avoided if Colonial had used basic cybersecurity practices that experts have been preaching for years. Could have, would have, should have been avoided… Yet, these cyber criminals continue to do their damage and far too many companies have been subject to similar circumstances. No one wants to face that moment of shear panic when your systems won’t come up, or when they do, and you get a strange and frightening video or screen-shot of someone telling you they now have your data and you must pay to get it back.
The DOL Cybersecurity Guidance was primarily aimed at protecting retirement plans, due to their high financial values and the financial security of so many individuals and families, but the DOL wrote the guidance in such a way to apply to all ERISA Plans, including health and welfare plans, because all benefit plans have valuable information (and assets) that cyber criminals want to have their hands on. This has become evident based on the high number of breaches in the health care and health insurance industry in recent years. Remember Anthem, Primera Blue Cross, UCLA Medical Center, New York Presbyterian/Columba Medical Center, Children’s Medical Center of Dallas and so many more. ERISA plans not only have financial assets, but personal information that criminals want to exploit. The bottom line is that the DOL has made it clear that plan sponsors and plan fiduciaries have a responsibility and duty to protect the plan and participants, and therefore have a duty to mitigate cybersecurity risk.
ERISA and Plan Fiduciary Overview and Background
Before I get into the guidance and how it affects employer plan sponsors and plan fiduciaries, I want to provide a brief background that should help you understand the significance of the role of plan sponsors and their plan fiduciaries in employee benefits.
The Employee Retirement Income Security Act of 1974 (ERISA) includes reporting and disclosure requirements enforced by the Department of Labor (DOL), Employee Benefits Security Administration (EBSA). ERISA is a federal law that regulates employer-sponsored (a) pension plans and (b) employee welfare benefit plans—whether fully insured or self-funded.
Welfare benefit plans include medical, dental, vision, health FSAs, HRA, LTD, STD, life, AD&D, pre-paid legal, some EAPs and some wellness programs.
Federal oversight is needed to protect benefit programs. So what government entities are involved, who audits what, and what areas are subject to review? ERISA Reporting, Disclosure, and Fiduciary (operational) requirements, and now Cybersecurity, is enforced by the US Department of Labor. The IRS, Department of Health & Human Services (HHS) and DOL oversee the Affordable Care Act. HIPAA Privacy and Data Security are enforced by HHS and OCR (Office of Civil Rights – which operates under HHS). Cafeteria Plans and Nondiscrimination Testing fall under the IRS. Wellness programs are the responsibility of the DOL and IRS, and Mental Health Parity, Voluntary Benefits and Claims Procedures overseen by the DOL.
So, what is a Fiduciary and why is it so important? First off, all ERISA-covered benefit plans are required to have fiduciaries. There are various fiduciary roles under ERISA (both named and functional), including the requirement for each plan to have at least one named fiduciary that must be identified in the plan document (ERISA § 402). The fiduciary is the Plan Administrator (ERISA § 3(16)). A fiduciary has discretionary authority or control over plan management (ERISA § 3(21)), and a fiduciary is someone who provides investment advice for compensation. Mostly, it’s important to note that Fiduciary status is based on the functions performed for the plan, not just a person’s title. One thing I always say when discussing the role of fiduciaries, either with an employer client or when teaching a class, is that If it looks like a duck, walks like a duck, acts like a duck, it’s a duck! Therefore, if you are performing any of these tasks, whether or not you’ve been given the title, you are, indeed, a fiduciary.
There are four main fiduciary duties under ERISA: 1) the Duty of undivided loyalty to plan participants and beneficiaries (exclusive benefit rule), including acting for the sole purpose of providing benefits to plan participants, which includes the requirement that you must only pay reasonable plan expenses; 2) Duty of prudence (Prudent Man/Person Standard of Care). ERISA requires that plan fiduciaries must act with the care, skill, prudence, and diligence under the circumstances then prevailing, that any prudent person acting in a like capacity and familiar with such matters would use. What has now been added to these duties is an obligation to ensure “proper mitigation of cybersecurity risks.” 3) Duty to diversify assets of the plan; 4) Duty to administer the plan in conformity with governing documents. The DOL understands and encourages plan fiduciaries to get help if and when they need it from experts.
Why Cybersecurity Compliance Matters
For an employer sponsoring an ERISA benefit plan, cybersecurity compliance matters because It’s the legal standard, it is part of the Plan Administrator’s fiduciary responsibility, it’s an employer obligation – not an insurer or broker obligation, it’s needed and expected to fix problems, be ready to respond to participant inquiries or complaints, as well as be ready in the event of a lawsuit. In addition, compliance matters so that you’re prepared in the event of a DOL, IRS, or HHS/OCR audit, prepared in the event of a merger, or wish to be a hero to the CEO/CFO, and if self-funded, it is required to be complaint with stop loss requirements, to name a few reasons.
Real-World Applications of Cybersecurity Compliance
As I said previously, the DOL released their Cybersecurity Guidance in April, 2021 for plan fiduciaries, plan sponsors, recordkeepers and plan participants. Why have they released them?
Without sufficient protections, “participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.” In addition, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”
I asked Marilyn Monahan, our Benefits Attorney, if she thinks plan sponsors and plan fiduciaries should be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus. Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards: ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”
I asked our technology/IT and cybersecurity partners, Ted Flittner and Ted Mayeshiba of Aditi Group, if they thought plan sponsors and plan fiduciaries should be taking this cybersecurity guidance seriously, and if so, why.
“Dorothy, I have money in a plan. If it goes missing, you can bet I’m coming after my money,” stated Ted Mayeshiba, Principal. “Plan fiduciaries are named that [fiduciaries] because there is a responsibility to safeguard MY MONEY. There are too many horror stories which relate fiduciaries having individual accounts under their control hacked and money stolen. Now, with these guidelines, the legal standard of “duty of prudence” have been clarified. Meaning, if you don’t follow these guidelines, you are more likely to be on the losing end of a judgement.”
His partner Ted Flittner continued: “This is the DOL’s way of making Cybersecurity an official, formal and now expected part of doing business in employer/employee related areas. Not following guidance is asking for investigation, judgement against you and penalties. But aside from the “legal” or DOL impact, the guidance offered is just plain SMART and good for everyone.”
For another opinion, I spoke with Adriana Mendieta, an industry friend and fellow cybersecurity business associate, who is a database manager for Colonial Life and also specializes in cyber liability insurance coverage. “Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards. In my role, I strongly believe that cyber insurance plays a vital role in ensuring the cybersecurity of the plan.”
The guidance “complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”
I asked our Benefits Attorney, Marilyn Monahan, if she agreed with me that the release of such guidance means that they are putting a much higher emphasis on cybersecurity in benefit plans. “Yes,” Marilyn replied. “In fact, it is clear that cybersecurity is a priority not only with the DOL, but also with other federal agencies and at the state level as well. (The California Consumer Privacy Act of 2018 (CCPA)—as modified by the California Privacy Rights Act (CPRA)—is an example of the increasing interest in cybersecurity at the state level.) While this interest can seem to create significant challenges for employers and producers as they work to understand how multiple—and potentially overlapping—standards apply to them and their benefit plans, taken together they do also send a clear message that cybersecurity is a priority to regulators and must be to employers as well.”
The DOL/EBSA Guidance divides the Guidance into three sections, which I will divide by topic for readers. I asked Marilyn to give me her thoughts on why it is important that you, as a plan sponsor or plan fiduciary, to create a complete Cybersecurity Program now. “The guidance was issued in 2021—a couple of years ago,” Marilyn stated. “The COVID-19 National Emergency and PHE are now over. With things getting back to ‘normal,” this is a good time for employers to turn their attention to all aspects of compliance, including cybersecurity.”
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
In the first of the 3-part guidance, the DOL focuses on tips for hiring service providers with strong cybersecurity practices. Business owners have a fiduciary responsibility under ERISA to prudently select and monitor service providers. The guidance makes it clear that each plan sponsor must have a process in place for selecting your service providers. One question you need to ask them is if their “process” is completely documented? This should be made a part of your RFP process. Then you need to find out from the service provider how they monitor their electronic files and data and be sure that every step is completely documented. Plan sponsors/fiduciaries should monitor not only new service providers, but current providers as well.
The service provider or providers should have in place a recognized standard of information security and outside monitoring procedure. Do they have a documented standard of information security that tracks the who, how, why, when for everything they have in their possession? Lastly, you should ask who is overseeing the process? Each service provider should assign an individual or team to oversee the process, and the employer/plan sponsor/fiduciary should be asking for details on this procedure (or procedures).
Another step in hiring a service provider with strong cybersecurity practice, according to the DOL Guidance, is to be sure they have in place a vendor/service provider validation of practices, so that you can see their track record, their past security breaches and how they mitigated those breaches. Is there public information regarding security incidents or breaches, other litigation and/or legal proceedings related to the vendor’s services? You want to be sure to ask them what their internal process is for all of these items, and perhaps do some google and other types of public searches as well, and not rely entirely on what the vendor tells you. My motto for this is trust, but verify!
Other things you can do as a plan sponsor/fiduciary is to check the HHS “Wall of Shame” for Large Breaches (those covered under HIPAA Privacy & Security rules are required to report their breaches to HHS/OCR; those with over 500 affected by the breach are posted on their “Wall of Shame” – a term that the industry coined for the website pages on breaches), google newspapers that monitor breaches, and check newspaper articles to see if their name comes up related to breaches that may have been smaller than those posted on Wall of Shame. In addition, you can ask for client references and ask questions about whether they know of any security breaches. What happened? How was it documented and reported? How did the service provider respond overall? How was it mitigated?
We all know that things can happen, no matter how secure you may think you are. After all, we’re all dealing with the “weakest link,” which is human beings; our employees. That’s why it’s important to have insurance policies in place to cover losses. Therefore, the Guidance asks if you’re verifying if the service provider has cyber liability insurance. In order to be approved for cyber liability coverage, you must have written procedures in place, so having it tells you a lot. You may want to ask them for a copy of their cyber liability policy… If you have that, you can check to see what their policy covers. Will it cover losses caused by cybersecurity and identity theft breaches (including breaches caused by their own internal threats, such as misconduct by the service provider’s own employees or contracted vendors, and breaches caused by outside threats, such as a third party hijacking a plan participant’s account)?
The Guidance also suggests that you have contract terms that actually require certain cybersecurity standards. A plan fiduciary should review their agreements and see if they have added cybersecurity standards to your vendor agreements. If not, that is something you want to add to them, sooner rather than later.
Process for Comparing and Selecting a Service Provider
So how do you do all of this, and how can you do it consistently, with the same process for all vendors? I highly suggest that you have in place a standardized questionnaire that you ask all current and all potential new vendors to complete and provide to you, so that you can verify and compare vendors properly.
The first step is to look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate their cybersecurity practices. You can do this with annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.
Next, you want to know how the service provider validates its practices, and what levels of security standards it has met and implemented. In doing this, you should be sure you have contract provisions that allow you the right to review audit results demonstrating compliance with the standard. You may want to verify that the contract requires ongoing compliance with cybersecurity and information security standards and watch for and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. You should have a consultant or attorney review the contract to see if it has or you can add appropriate terms to enhance cybersecurity protection for the Plan and its participants, including information security reporting, clear provisions on the use and sharing of information and confidentiality of information. Does it meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse? Does the contract require that they notify you about cybersecurity breaches, and if so, when/how quickly? You will also want provisions to assure that the service provider will ensure their cooperation with investigations and responsibly address the cause of the breach, and how they mitigate such breaches.
Additional contract terms of a Service Provider to look for includes looking to see if they require ongoing cybersecurity and information security standards and compliance. Do their contracts limit the service provider’s responsibility for IT security breaches? That could be a reg flag and prompt to check into it further. You should consider including terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Information Security Reporting – annually obtaining third-party audits to determine compliance with IT P&Ps; Clear Provisions on the Use and Sharing of Information & Confidentiality – spell out service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect the confidential information against unauthorized access, loss, disclosure, modification, or misuse.
While you are looking at contracts, you should Include terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Notification of Cybersecurity Breaches – identify how quickly you would be notified of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach; Compliance with Records Retention & Destruction, Privacy & Information Security Laws – specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality or security of participants’ personal information; Insurance – you as a Plan Sponsor or Fiduciary may want to require insurance coverage such as professional liability, E&O, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket crime coverage. Be sure you understand the terms and limits of each before relying on these as protection from loss.
Cyber insurance in today’s world is critical for most, if not all, service providers. “One vital aspect of a well-rounded cybersecurity plan is being prepared for every possible scenario,” stated Adriana. “Cyber insurance can play a crucial role in reducing the financial impact of a cyber incident. It offers coverage for various expenses, such as legal and forensic services, breach notification, credit monitoring, public relations, and potential regulatory fines. By obtaining cyber insurance, plan sponsors and fiduciaries can transfer some of the financial risks associated with cyber incidents to an insurance provider, providing an additional layer of protection for plan assets. Furthermore, cyber insurance can provide additional benefits beyond financial protection. Many insurance providers offer proactive risk management services and resources to policyholders, such as cybersecurity training, vulnerability assessments, and incident response support. These services can assist organizations in strengthening their cybersecurity posture and enhancing their overall resilience against cyber threats. However, it is important to acknowledge that cyber insurance should not be viewed as a substitute for a comprehensive cybersecurity plan. It is merely a component of a broader strategy that encompasses preventive measures, employee education, regular system updates, and ongoing monitoring. Having a formal cybersecurity plan in place provides a structured approach to safeguarding critical assets and minimize the potential impact of cyber incidents, including the role of insurance.”
The guidance states that when you contract with a service provider that the plan sponsor/fiduciary makes sure that the contract requires ongoing compliance with cybersecurity and information security standard, and be aware of provisions limiting the service provider’s responsibility for IT security breaches. I asked Marilyn, as an attorney, what kind of provisions she would recommend be included in vendor contracts related to these requirements? “If the draft agreement comes from the service provider, do not take the contract terms for granted. Be certain that the contract addresses the issues that are most important to you, and provides you with assurances that security compliance will satisfy designated industry standards, not only as of the date the contract was signed, but on an on-going basis. The DOL’s guidance provides some terms to consider.” Again, trust, but verify!
A standardized questionnaire should allow you to compare each service provider based on how they answered their questionnaire. With this, you can then have a committee meeting or meetings to compare and evaluate the submitted questionnaire, document the positives and negatives of each, and place a value or score on each for comparison purposes. After discussions and evaluations, you should make your service provider selection based on the final “value” or “score” of each to justify why this selection was made.
If a service provider refuses to complete your questionnaire, consider that there is likely a reason for them not to complete it… Quite likely, they are not doing everything that they should be doing to protect client (your) data, and therefore, you may not want to use them. If it’s an in-place vendor, you should definitely be looking at replacement vendors and a safe and efficient transition method to move the data from your old to your new service provider.
Why is it important to hire service providers with strong cybersecurity practices? “For two key reasons,” stated Monahan. “First, because choosing the right service provider is a fiduciary function. (This point was also emphasized by the new CAA compensation disclosure rules.) Second, because loose cybersecurity practices by a service provider create vulnerabilities, and vulnerabilities could result in a breach that could harm the employer and plan participants.”
To make this process easier for our clients, ABC has developed a sample questionnaire and chart for comparison for our clients to assist them in their selection of service providers, and to be sure the employer client is fully documenting their cybersecurity program based on the DOL guidance.
“A checklist or questionnaire would be a great idea,” commented Mayeshiba, when I informed Aditi of ABC’s intention to create tools for compliance with the Guidance. “It will give the uninitiated a baseline to begin asking the right questions of their IT staff. Every company is different. Every company does things differently. A checklist or questionnaire will help get everyone on the same page to tackle a tricky problem. One size does not fit all.”
Service Provider Monitoring
The DOL Guidance also requires plan sponsors/fiduciaries to create a cybersecurity service provider monitoring process. Questions to ask yourself include: a) what categories are you monitoring?, b) how often are you monitoring?, c) who is assigned to monitor?, d) do you have a documented process for all of this?
As a Plan Sponsor/Fiduciary, what will you do when you see insufficiencies or failures to perform? What is your process in reporting this to the service provider and getting resolution or improvements? Have you looked for who, what, when, and how? Again, you should have all of these processes in place, and the ability to make corrections and changes as needed.
The Guidance makes it clear that you as a plan sponsor/plan fiduciary have an obligation to be sure that your vendor/servicer providers are using a recognized standard of information security and one or more outside third party auditors to review and validate cybersecurity.
As a plan sponsor/fiduciary, your confidence in a service provider increases if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality. Therefore, you will want to verify if the service provider has annual audits and who the outside auditor is; then, be sure that you follow normal credentialling/fact checking/due diligence to be sure they are reputable and use NIST (National Institute of Standards and Technology and other security standards.
Other overall tips for Hiring a Service Provider with strong Cybersecurity Practices include of course, checking references, getting a consultant Seal of Approval, and using Legal Counsel when appropriate. We also suggest that you keep your eyes open and don’t hire service providers only based on friendship, family relations, golf or sports buddies; you need to hire experts if you want to prove you have taken the guidance and your fiduciary roles seriously.
Cybersecurity Program Best Practices
A Formal, Well-Documented Cybersecurity Program
The Guidance calls for a formal, well documented cybersecurity program. According to the DOL, a sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity or availability of stored nonpublic information. Under the program, the organization fully implements well-documented information security policies, procedures, guidelines and standards to protect the security of the IT infrastructure and data stored on the system.
A “prudently designed” program will protect the infrastructure, information systems and information in the systems from “unauthorized access, use, or other malicious acts by enabling the organization to identify the risks to assets, information and systems; protect each of the necessary assets, data and systems; detect and respond to cybersecurity threats; recover from the event, should one occur; disclose the event as appropriate; restore normal operations and services and quickly and efficiently as possible.”
Why is this formal program so important in protecting plan assets and overall ERISA compliance? “There are several good reasons for having a written program,” stated Marilyn. “One of those reasons is that the drafting process, on its own, is an important tool that can be used to identify and address both cybersecurity vulnerabilities and corresponding solutions. In addition, a written standard gives you a starting point for compliance, as well as a reference point for on-going risk analysis and upgrades. Finally, if you are audited, a well-written and well-thought-out program will provide proof of your commitment to cybersecurity.”
Should plan sponsors and plan fiduciaries be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus,” stated Marilyn. “Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards: ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”
Interestingly and consistently, the DOL’s guidance on cybersecurity best practices mirror what ABC and Aditi Group (our Technology/IT/Cybersecurity partners) have been preaching since HITECH was enacted in 2009, and HIPAA related final regulations which were released in 2013 (with of course updates based on current threats, etc.).
A formal, well-documented cybersecurity program should establish strong security policies, procedures, guidelines and standards that meet the following criteria:
- Approval by senior leadership
- Review at least annually with updates as needed
- Terms are effectively explained to users
- Review by an independent third-party auditor who confirms compliance
- Documentation of the particular framework(s) used to assess the security of its systems and practices.
Again, consistent with the educational materials and trainings of ABC and Aditi Group, the DOL’s best practices guidance states that you should have formal and effective policies and procedures in place that govern things like data governance and classification; access controls and identity management; business continuity and disaster recovery; configuration management; asset management; risk assessment; data disposal; incident response; systems operations; vulnerability and patch management; system, application and network security and monitoring; systems and application development and performance; physical security and environmental controls; data privacy; vendor and third party service provider management; consistent use of multi-factor authentication; cybersecurity awareness training, which is given to all personnel at least annually; encryption to protect all sensitive information being transmitted and at rest.
“It’s important to note that cybersecurity is a complex and ever-changing field,” stated Adriana. “Striking the right balance between regulation and innovation is crucial. Overly burdensome regulations could stifle innovation and impose significant costs on businesses, particularly small and medium-sized enterprises. Any government efforts to enhance cybersecurity requirements should be carefully crafted, taking much into consideration. It may be beneficial for the government to reassess and potentially enhance their requirements should be done thoughtfully, in collaboration with industry experts, and with a clear understanding of the potential impact on businesses and the overall digital ecosystem. Cyber Insurance providing financial backing should also be considered as a part of the solution.”
I asked Aditi Group Principals how important it is to have Senior Leadership involved with the cybersecurity program and why? “The company is at risk,” replied Mayeshiba. “Addressing that risk must be made by Senior Leadership. Assigning ultimate responsibility for the various cybersecurity functions must be made so that the POSITION, not the person, is the RIGHT person to take action.”
“We also know that actions speak louder than words,” commented Flittner. “When we see people at the top involved, we know it’s important.”
This sentiment was echoed by Adriana Mendieta, cyber liability insurance expert. “Having Senior Leadership engaged in the cybersecurity program is crucial. Leadership sets the tone, allocates resources, makes decisions and are key in incident response and compliance + legal considerations.”
Prudent Annual Risk Assessments
Again, 100% consistent with what ABC and Aditi Group have been training on since 2009, risk assessments are necessary and of the utmost importance. In a risk assessment, you can identify, estimate, and prioritize information system risks. IT and cyber risks are constantly changing, and your risk assessment schedule should reflect that. If you want to be safe, you must constantly adapt to new threats and know how to mitigate them. Waiting only puts your firm and your assets, including your data, at greater risk.
Why is this documentation and annual risk assessment so important? “When you’re standing in front of a judge, they want to see evidence that you’ve at least made a good faith effort to comply. This is your vehicle,” stated Mayeshiba.
Flittner commented: “Remember the mantra: If it’s not in writing, it didn’t happen. Assessments, action plans, and notes along the way become the evidence that a program IS real. Investigators look for these documents right off the bat. Every business changes and technology evolves so quickly year after year that what we thought was “safe” last year may not be now. Risk assessment MUST be a repeated action or risk will grow and grow over time.
So what does a Prudent Annual Risk Assessment accomplish? “The environment is constantly changing,” stated Mayeshiba. “Cybercriminals are improving their techniques, software and attacks. As we know more, we need to assess differently. It’s ‘whack-a-mole.’”
“Documentation and annual risk assessments are critical components of a proactive cybersecurity approach,” stated Adriana. “They help organizations identify and mitigate risks, ensure compliance with regulations, enable effective incident response, and enhance the prospects of obtaining adequate cyber insurance coverage.”
Adriana continued,” Prudent Annual Risk Assessment is a vital tool in the world of cyber, particularly when it comes to qualifying for cyber insurance. It enables organizations to identify, quantify, and mitigate risks, and are prepared or not to respond to any cyber incidents.”
A Reliable Annual Third-Party Audit of Security Controls
It’s vitally important that you have an independent auditor assess an organization’s security controls which provides a clear, unbiased report of existing risks, vulnerabilities and weaknesses. As I always say in training, an in-house IT Team should NEVER evaluate its own in-house security. It’s like putting a proverbial chicken in charge of watching the hen house… or in more corporate terms, an IT Team is stressed enough. If they know that an outside audit could result in them having to do more work, or modify or change what they spent months or longer putting in place, they tend to be a bit protective of their work, and time and energy put into it. Therefore, in their eyes, and in reports to senior management, they are less likely to report their own weaknesses. Sometimes it takes an outside auditor to put the spark under them to make them tighten things up to be more secure.
“Involving an independent third-party in reviewing a cyber program and policies brings objectivity, expertise, credibility, compliance verification, and risk mitigation to the process. Their involvement strengthens the overall effectiveness of the program, instills confidence and helps organizations stay resilient,” commented Adriana.
The Best Practices guidance states that the program and policies should be reviewed by an independent third- party auditor who can confirm compliance. I asked Aditi Group why is this third party so important, and is this something that Aditi Group does for employer plan sponsors?
Flittner responded: “The outside viewer can spot things that insiders look past or forget about. And insiders often just assume something has to be a certain way – “it’s always been this way.” And impartiality allows an outside viewer to highlight and include things that may be too sensitive or political hot potatoes.
“Yes, we have done these audits,” confirmed Mayeshiba. “Sometimes, the company comes to us and says, ‘we’ve done our best, can you please review our situation and documentation?’ We have also started from scratch with companies that have nothing in place and want us to build something for them.” So there is help out there, if you need it.
Clearly Defined and Assigned Information Security Roles and Responsibilities
The DOL Guidance clearly states that for a cybersecurity program to be effective, it must be managed at the senior executive (fiduciary) level and be executed by qualified personnel. The Guidance calls for the Chief Information Security Officer (CISO) to establish and maintain the vision, strategy, and operation of the cybersecurity program which is performed by qualified personnel who should have sufficient experience and the necessary certifications; the program should be subject to initial and periodic background checks (because, let’s face it, things happen since people were hired); the program should include regular updates and training to address current cybersecurity risks; the program should reflect current knowledge of changing cybersecurity threats and countermeasures.
Strong Access Control Procedures
Access control, says ABC, Aditi Group and the DOL, is a method guaranteeing that users are who they say they are and that they have the appropriate access to the systems and data. This includes two main components: authentication and authorization. The Guidance provides best security practices for access control, which again, is consistent with those provided by ABC and Aditi Group. They include access to systems limited to authorized users, process, devices, activities and transactions; access privileges, which are reviewed at least quarterly; a requirement for complex and unique passwords; multi-factor authentication; P&Ps and controls to monitor activity and detect unauthorized access, use of or tampering with nonpublic information; procedures that ensure sensitive data about a participant or beneficiary in the service provider’s records matches the information that the plan maintains; confirmation of identity of the authorized recipient of any funds.
Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider Subject to Appropriate Security Reviews and Independent Security Assessments
Cloud computing always has dangers and challenges. A cloud means that a third-party is storing the data. Organizations must understand the security posture of the cloud service provider in order to make sound decisions on their services. Best practices include requiring a risk assessment of third-party service providers; defining minimum cybersecurity practices; periodically assessing third party providers based on potential risks; and ensuring that guidelines and contractual provisions protect all parties. Be sure to have a HIPAA Business Associates Agreement in place with your cloud providers if there is any HIPAA or related information stored there.
Why is it best to have a third-party cloud provider reviewed and have independent security assessments? “The “Cloud” is too easily out of sight and out of mind,” commented Flittner. “It’s too easy to ignore risks that can be understood and addressed. Sometimes an assessment leads us to make big changes. And change can mean more work for someone for a time. It’s easier to not look and pretend that it’s all ok…”
Mayeshiba commented: “Cloud computing has become very powerful and ubiquitous in the business. Everywhere your data resides, every link from your business to that data, is at risk. Do you have an agreement in place with your cloud provider that insures your data from breach? Probably not. No one can realistically take that bet, because you (the user) may well be culpable for the data breach on their cloud system. So could others in the supply chain. Yes, a security assessment should be done on all ‘third party vendors’ including cloud providers.”
“When an organization entrusts its data to a cloud provider or a third-party service, it essentially transfers some level of control and responsibility for the security of that data,” Adriana commented. “Then it becomes essential to thoroughly review and assess the security measures implemented by these providers to the same accountability of other 3rd party providers.”
Cybersecurity Awareness Training Conducted At Least Annually
As we’ve been saying at ABC and Aditi for over a decade, the weakest link of any organization’s cybersecurity is their own employees. How well or how little you train them will determine your fate in most cases. It’s imperative that you train your employees at all levels of the risks, what to look for, and what to do and not to do (such as clicking on links that may result in malware, ransomware or other cyber threats entering your systems). I’m happy that finally the federal government has put a priority on training and is stating that it should be done at least annually. Without prior guidance, some firms went years before re-training their staff.
Secure System Development Life Cycle Program
The DOL’s Guidance recommends a secure SDLC process that ensures that security assurance activities such as penetration testing, code review, and architectural analysis are an integral part of the system development effort. This includes such protections as configuring system alerts to trigger when an individual’s account information has been changed; requiring additional validation for distributions; requiring additional validation if personal information has been changed prior to a request for a distribution from an account; periodic reviews and updates; a vulnerability management plan; and annual penetration tests.
Business Resiliency Program Which Effectively Addresses Business Continuity, Disaster Recovery and Incident Response
Business resiliency is the ability to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and data. You should, at minimum, have in place a Business Continuity Plan, a Disaster Recovery Plan, and an Incident Response Plan.
I asked Aditi Group how high of a priority should business continuity, disaster recovery and incident response be to plan sponsors/plan fiduciaries? “The greatest chance for a criminal to get into your system is when you aren’t looking,” replied Mayeshiba. “You’re too busy with an earthquake, storm, flooding, etc. A plan for everyone to lock down the data when an exogenous event occurs is critical.”
“Given the potential financial and reputational impact of cyber incidents, the Business Resiliency Program should be treated as a high priority by plan sponsors and fiduciaries,” informed Adriana. “Investing in proactive measures, including cyber insurance, demonstrates a commitment to protecting the organization, its stakeholders, and the beneficiaries of the plan. It also helps fulfill their fiduciary duty to act in the best interest of the plan participants and beneficiaries by safeguarding their data and assets.”
Encryption of Sensitive Data Stored and in Transit
It’s no secret that the best way to protect non-public information is to encrypt it. Organizations should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit.
Strong Technical Controls Implementing Best Security Practices
Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Best practices for technical security, again, consistent with ABC/Aditi recommendations, include: Keeping your hardware, software and firmware models and versions up to date; using reputable vendor-supported firewalls, intrusion detection and prevention tools or appliances; using current and regularly updated antivirus software; implementing routine patch management (preferably automated); implementing network segregation; using system hardening; and having routine data backup (preferably automated).
Responsiveness to Cybersecurity Incidents or Breaches
It’s usually not if, but when a cybersecurity breach or incident occurs, and when it does, you should be taking appropriate actions to protect the plan and it’s participants, including: informing law enforcement; notifying the appropriate insurer; investigating the incident; giving affected plans and participants the information necessary to prevent or reduce injury; honoring any contractual or legal obligations with respect to the breach, including complying with notification requirements; fixing the problems that caused the breach to prevent its recurrence.
Online Security Tips
The third of the three DOL Guidances provided online security tips, which are 100% consistent with our current training tips provided by ABC and Aditi Group. The guidance states that you can reduce the risk of fraud and loss to your retirement account (or other plans), if you follow their (and our) online security tips, including registering, setting up and routinely monitoring your online account, using strong and unique passwords, using multi-factor authentication, keeping personal contact information current, closing or deleting unused accounts, being wary of free wifi, being aware and taking efforts to eliminate or reduce phishing attacks, using antivirus software and keep apps and software current, and knowing how to report identity theft and cybersecurity incidents.
Of course, phishing attacks are aimed to trick you into sharing your passwords, account numbers, and sensitive information, which allow the “bad actors” to gain access to your accounts. You should always be aware of these, and train your staff to be wary of messages that may look like it comes from a trusted organization, to lure you into clicking on a dangerous link or passing along confidential information. Warning signs include a text message or email that you didn’t expect or that comes from a person or service you don’t know or use; spelling errors or poor grammar; mismatched links (a link that sends you to an unexpected address; watch for those by hovering your mouse over the link without clicking on it, so that your browser displays the actual destination); shortened or odd links or addresses; an email request for your account number or personal information; offers or messages that seem too good to be true, express great urgency, or are aggressive and perhaps scary; strange or mismatched sender addresses; or anything else that makes you feel uneasy.
We always suggest that you check with your IT department or your Security Officer if something doesn’t look or feel right, and always be cautious, and DON’T CLICK unless you are 100% sure that the email is legitimate.
I asked Aditi if there were additional tips/suggestions for online safety they’d like to share, in addition to what is stated in the guidance. “The tips are all good ones,” stated Flittner. “But there are other factors to remember, such as the security of the device they are using. Is it shared with others? Is it up to date with security patches and releases? Is it still supported? Think Microsoft Windows 7, not end of life for software updates. Does it have other vulnerable software on it that hackers can exploit (think multiplayer games for example)? Be aware of who may be looking over your shoulder when you are online as well. Keep it to yourself. Don’t look for anti-virus alone to catch all malware that you might innocently download or flaws that hackers may exploit. Reduce risks in ALL areas”.
Overall Policies and Procedures for Cybersecurity and Their Importance
All three sets of guidance are very helpful and much-needed. I for one have been saying (and writing) for years that we needed more federal action and guidance on privacy and security. Knowing that the DOL/EBSA has made it clear that plan sponsors and fiduciaries need to pay more attention to cybersecurity, and adding this to DOL audits, should hopefully increase overall awareness and prioritize cybersecurity as you prioritize protecting your other assets. It does make me feel good that the DOL has affirmed everything we’ve been teaching for so many years in our electronic security training. I asked Aditi if they feel it’s about time that the government stepped up their requirements for cybersecurity.
“Absolutely,” replied Flittner. “Can we get an AMEN?!”
“Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards.”
I asked Marilyn Monahan, on a scale of 1-10, 10 being of highest importance how she would rank the importance of Cybersecurity. “How can a compliance lawyer pick a favorite? Isn’t that like asking a parent to choose a favorite child? Let’s just say the time is right to make this a priority.”
The bottom line is, had Colonial Pipeline, Anthem, a myriad of health insurance companies and providers and many others practiced what this guidance is asking plan sponsor and plan fiduciaries to do, their breaches and ransom situations may not have happened, or may have been mitigated sooner and been less costly. So, learn from those who didn’t practice the policies and procedures and awareness of the importance of cybersecurity in the past, and hopefully, your data will be protected. ##
About the Author: Dorothy Cociu is the President of Advanced Benefit Consulting, which was honored by HR Tech Outlook in 2023 for Top Employee Benefits Solutions Provider and in 2022 for Top Employee Benefits Service Company. Dorothy is a proud member of the Professionals in Human Resources Association (PIHRA), Self-Insurance Institute of America, National Association of Benefits & Insurance Professionals, California Association of Health Insurance Professionals (CAHIP), and current VP of Communications for CAHIP-Orange County, CA.
Author’s Note: I’d like to thank Marilyn Monahan, Aditi Group and Adriana Mendieta for their assistance with this article. Marilyn can be reached at Marilyn@monahanlawoffice.com, Ted Flittner can be reached at ted.flittner@aditigroup.com, Ted Mayeshiba at ted.mayeshiba@aditigroup.com, and Adriana Mendieta at adriana@mendieta.net. The author can be reached at (714) 693-9754 x 3, or toll free at 866 658-3835, or by email at dmcociu@advancedbenefitconsulting.com. Be sure to listen to ABC’s informative benefits and compliance podcast, the Benefits Executive Roundtable, to stay up to date. It can be found on all major podcast platforms, and ABC begins Season 5 in the fall, 2023.