Q. What are some best practices for establishing and maintaining cybersecurity?
A. Guidance that the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued in April 2021 suggests best practices for recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries in choosing service providers.
EBSA argues that service providers should:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle program.
- Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Recent Comments
Does the roth requirement for catch-up contributions for people who earned $145,000 apply to 457...
Hi Ed,
I really liked this article and I think you make a lot of sense. And I had no...
I believe there's a misstatement in that last quote - it should refer to governmental and...
Working with several medical providers as clients, I note that the high-end earners tend to push...
Congratulations to NTSAA for landing a good one. Nathan's breadth of experience and...