Cybersecurity Guidance for Investment Advisers Managing ERISA plans
Jun 03, 2021 03:51 pm | by Jaqueline Hummel, Partner and Managing Director, Hardin Compliance
For Investment Advisers and Broker-Dealers
DOL issues Cybersecurity Guidance. On April 14, 2021, the U.S. Department of Labor (“DOL”) Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance directed towards ERISA plan sponsors and ERISA fiduciary advisors. While the guidance appears similar to SEC’s advice, there is one noticeable difference: the DOL says firms “should” have a reliable annual third-party audit of security controls. As part of this audit, EBSA expects to see audit reports, audit files, penetration test reports, and any other analyses or reviews of cybersecurity practices. EBSA also wants documented corrections of any weaknesses identified in the independent third-party analyses. What are the implications to firms subject to this guidance? Will the DOL consider it a breach of fiduciary duty if a firm does not hire a third party to conduct an audit of its security controls? Can a firm do this assessment internally? Time will tell if this is a best practice or a requirement.
In addition to the third-party review, the DOL provided these best practices that ERISA plan service providers “should” follow:
- Implement a well-documented cybersecurity program.
- Conduct a prudent annual cybersecurity risk assessment.
- Clearly define and assign informational security roles and responsibilities.
- Establish robust access control procedures.
- Ensure that any assets or data stored in a cloud or with a third party are subject to appropriate security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Establish an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Implement strong technical controls that meet best security practices.
- Respond to any past cybersecurity incidents.
The DOL guidance was published in three separate pieces: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries. Contributed by Glenn R. Skreppen, Senior Compliance Consultant.