Cybersecurity Program Best Practices

Q. What are some best practices for establishing and maintaining cybersecurity?

A. Guidance that the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued in April 2021 suggests best practices for recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries in choosing service providers. 

EBSA argues that service providers should: 

• Have a formal, well documented cybersecurity program. 
• Conduct prudent annual risk assessments. 
• Have a reliable annual third-party audit of security controls. 
• Clearly define and assign information security roles and responsibilities. 
• Have strong access control procedures. 
• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. 
• Conduct periodic cybersecurity awareness training. 
• Implement and manage a secure system development life cycle program. 
• Have an effective business resiliency program addressing business continuity, disaster recovery and incident response. 
• Encrypt sensitive data, stored and in transit. 
• Implement strong technical controls in accordance with best security practices. 
• Appropriately respond to any past cybersecurity incidents.