By: Jason Connotillo, Director, EisnerAmper Digital
| |
The Employee Benefits Security Administration (“EBSA”) announced cybersecurity guidance in April 2021 that encourages the installation of cybersecurity protections for administering the retirement benefits of America’s workers. This encouragement is driven by language in the guidance that reveals plan sponsors and fiduciaries have a duty to mitigate cybersecurity risk.
EBSA, which is a branch of the U.S. Department of Labor (“DOL”), is responsible for administering and enforcing the fiduciary, reporting and disclosure provisions within critical parts of the Employee Retirement Income Security Act (“ERISA”). Through its guidance, EBSA is taking renewed aim at protecting an estimated $10 trillion in assets1. This is a sizeable portion of the $36 trillion in total U.S. retirement assets reported by the Investment Company Institute earlier this year.
There is no doubt retirement plan assets are a target for cyber incidents, which can be debilitating to plan sponsors and plan participants. Retirement assets account for roughly 32 percent of all household financial assets2. Diane Wasser, a Partner at Eisner Advisory Group LLC, founded the Pension Services Group at EisnerAmper approximately 30 years ago based on a passion for protecting retirement assets through plan audits. Now, with cybersecurity threats being far more prevalent today than 30 years ago, this threat adds a whole new dimension to risk.
Who is impacted by this announcement? Minimum expectations for cybersecurity have been set in the guidance for plan sponsors, plan fiduciaries and recordkeepers. While a portion of the guidance impacts plan participants who must follow, navigate and adhere to access control policies, the most critical protections called for by the EBSA involve cybersecurity standards for selecting service providers and administering benefits plans, which are primary activities of the plan sponsor, fiduciaries and recordkeepers.
Plan sponsors often have little understanding of their fiduciary responsibility for their employee benefit plans because so many of a plan’s operations are outsourced to third parties, including the plan custodian and recordkeeper. However, that outsourcing does not excuse a plan sponsor from its responsibilities because they must monitor those providers, and this guidance adds another dimension to that monitoring.
| |
Summary of the Cybersecurity Guidance
| |
EBSA’s guidance draws attention to three critical risk areas:
1. TIPS FOR HIRING A SERVICE PROVIDER
The guidance is meant to help plan sponsors and fiduciaries evaluate and seek out only benefit plan service providers with strong cybersecurity practices. The EBSA goes so far as to detail in the guidance that this is an ERISA requirement. The six best practices listed in this section are detailed in full ( click here) and relate directly to performing due diligence on and contracting with service providers.
Important tips include:
| |
- Asking about the service provider’s information security standards, practices and policies.
- Asking how the service provider validates its cybersecurity practices and what security standards it meets.
- Evaluating the service provider’s track record in the industry, including derogatory information about information security incidents.
- Asking if the service provider experienced prior security breaches and how they were handled.
- Asking the service provider about its cybersecurity insurance policies.
- Making sure legal contracts with the service provider require ongoing compliance with cybersecurity and information security standards.
| |
2. CYBERSECURITY PROGRAM BEST PRACTICES
This set of information helps service providers and recordkeepers in their responsibilities to adequately manage cybersecurity risks and for plan sponsors and fiduciaries to sufficiently assess cybersecurity risks. There are 12 best practice activities detailed around protecting plan-related IT systems and data. This portion of the EBSA guidance, which can be found by clicking here, involves the types of enterprises and the cybersecurity activities the DOL would likely audit when ensuring proper mitigation of cybersecurity risks.
Important guidance includes:
| |
- Having in place a formal, well-documented cybersecurity program.
- Conducting prudent annual risk assessments.
- Having a reliable, annual third-party audit of security controls.
- Clearly defining and assigning information security roles and responsibilities.
- Having strong access control procedures.
- Ensuring that any assets or data stored in the cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conducting periodic cybersecurity awareness training.
- Implementing and managing a secure system development life cycle (“Secure SDLC”) program.
- Having an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypting sensitive data, both stored and in transit.
- Implementing strong technical controls in accordance with best security practices.
- Appropriately responding to any current or prior cybersecurity incidents.
| |
3. ONLINE SECURITY TIPS
These are intended to help plan participants and beneficiaries who use online retirement accounts reduce the risk of fraud and loss to their retirement accounts. There are nine best practice activities, which can be found by clicking here. They span things like using strong passwords to free Wi-Fi concerns.
| |
Interpreting the Guidance
| |
The tips and best practice activities that comprise the guidance are not new. In fact, they are a set of actions consistent with general cybersecurity best practices or what is often referred to as “good cyber hygiene.” These practices are now understandably being introduced more formally by regulators to a hyper-critical industry experiencing accelerating threats.
Recent headline-grabbing cybersecurity events involving retirement benefit plans include unauthorized distributions stemming from suspected stolen participant information and plan sponsors being the target of ransomware attacks. ERISA does not currently address cybersecurity risk or events, but it was created to protect retirement benefits, their participants and their beneficiaries. This is what makes the EBSA guidance a natural fit both in terms of timing and subject matter.
Although the guidance is not law, the DOL surely will be asking for information on cybersecurity policies when inquiring with plan sponsors about their benefit plans. Their issuance, however, represents a great time to review your own practices wherever you sit within the regulatory spectrum – be it plan sponsors, fiduciary or recordkeeper – and prepare for aligning with these practices as they become the norm (and likely the law) for doing business in this space.
For more information, please contact any of the professionals at Fiducient Advisors.
| |
About the Author
Jason Connotillo is a Director within EisnerAmper Digital. He is an organizational control executive who’s range of expertise and influence for improvement and transformation crosses several business communities. With 15 years of experience, Jason currently leads financial, operations and information technology improvement programs for the firm’s clients, in addition to having undertaken a number of change management and advisory roles within the industry.
Prior to joining the firm, Jason was Vice President at a cloud-based FinTech provider for the global banking and capital markets communities. He led enterprise-wide organizational control programs, including global internal audit, business process re-engineering, and control over financial reporting while working directly with the executive management team and Board of Directors. Jason served earlier as a Director at the provider’s parent company, a leading multi-national provider of outsourcing and technology solutions for investment management and financial services firms. There led for the executive management team governance over global internal controls, business line development, acquisition integration, and systems and process transformation.
Jason’s aptitude and passion for the capital markets runs deep, having spent seven years combined with two multi-national, leading financial services organizations, where he led risk management, systems and process improvement, and business integration programs for each of their global alternatives, real estate and traditional asset management platforms.
| |
“EisnerAmper” is the brand name under which EisnerAmper LLP and Eisner Advisory Group LLC provide professional services. EisnerAmper LLP and Eisner Advisory Group LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. EisnerAmper LLP is a licensed independent CPA firm that provides attest services to its clients, and Eisner Advisory Group LLC and its subsidiary entities provide tax and business consulting services to their clients. Eisner Advisory Group LLC and its subsidiary entities are not licensed CPA firms. The entities falling under the EisnerAmper brand are independently owned and are not liable for the services provided by any other entity providing services under the EisnerAmper brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by EisnerAmper LLP and Eisner Advisory Group LLC.
This report is intended for the exclusive use of clients or prospective clients of Fiducient Advisors. The information contained herein is intended for the recipient, is confidential and may not be disseminated or distributed to any other person without the prior approval of Fiducient Advisors. Any dissemination or distribution is strictly prohibited. Information has been obtained from a variety of sources believed to be reliable though not independently verified. Any forecasts represent future expectations and actual returns, volatilities and correlations will differ from forecasts. This report does not represent a specific investment recommendation. Please consult with your advisor, attorney and accountant, as appropriate, regarding specific advice. Past performance does not indicate future performance and there is a possibility of a loss.
| |
|
|