With new guidance by the Department of Labor (DOL) on cybersecurity, it’s important to determine whether your plan provider meets that guidance.
The DOL provided information on best cybersecurity practices to plan fiduciaries, recordkeepers, and other service providers regarding their responsibilities for managing cybersecurity risks. While you should look at how you meet these requirements, you need to do the same.
Best practices include:
- Maintaining a formal, well-documented cybersecurity program.
- Conducting prudent annual risk assessments.
- Having a reliable annual third-party audit of security controls.
- Clearly defining and assigning information security roles and responsibilities.
- Having strong access control procedures.
- Ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conducting periodic cybersecurity awareness training.
- Implementing and managing a secure system development life cycle (SDLC) program.
- Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypting sensitive data, stored and in transit.
- Implementing strong technical controls following best security practices.
- Appropriately respond to any past cybersecurity incidents.