When you think about the information that your business needs to protect, it’s natural to think about banking and finance, trade secrets and proprietary information, as well as customer records. There’s another bucket of information, however, that’s just as valuable and the Department of Labor (DOL) has just released guidelines that they want businesses to follow to keep it secure. It’s your employees’ retirement accounts along with their personal identifiable information (PII).
The cybersecurity guidance, published on April 14, 2021 by the Employee Benefits Security Administration arm of the DOL, is aimed at protecting assets of about $9.3 trillion and information on millions of people who are participants in retirement plans that are regulated by the Employee Retirement Income Security Act.
This means that many companies need to beef up their security; they need to do a more thorough job of vetting the service companies that they work with; and they need to play a part in educating employees about secure behavior and managing their online accounts.
The guidelines are divided into three sections to address each of these areas of responsibility.
Cybersecurity Program Best Practices
There are 12 areas that are addressed as cybersecurity best practices but really 2 – 12 could all be included in the first one, which is having a well-documented cybersecurity program.
While it’s clear that the DOL wants organizations to be more aware of their role in keeping employee retirement accounts safe, there is no formal accountability included in the guidelines. Other government agencies, like the Department of Defense with its Cybersecurity Maturity Model Certification (CMMC) regulations, are requiring verification of security standards.
For now, the DOL may be relying on #2 Prudent Annual Risk Assessments, and #3 A Reliable Annual Third Party Audit of Security Controls, to get a measure of validation that the guidelines are being followed. Additionally, the guidelines fall under the Employee Retirement Income Security Act (ERISA) which is a federal law, so accountability for maintaining the standards is clear.
You can get a pdf copy of Cybersecurity Program Best Practices on the DOL website here.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
You could use the six areas detailed in these tips to vet just about any service provider that you work with – cloud providers, IT services, Software as a Service companies. You just might need a little help to interpret the answers that you get when you go through the questions that are listed in the document.
The tips talk about what you should look for in a contract with a service provider. Don’t get stuck on the clause that says, “beware contract provisions that limit the service provider’s responsibility for IT security breaches.” There is no way that anyone can 100% guarantee that you will never have a cyber incident.
Everyone has to play their part in security. If the limits are because you’re not following all of their recommendations, that’s one thing. If that’s not the case, just make sure that you understand the context of the limitation then you can decide whether or not it’s acceptable to you.
As in the best practices document, third party audits are called out as being the method that will give you the most confidence in the service provider. You’re not going to find that every service provider you work with has gone to the trouble to get their security practices audited. There are IT companies, like XPERTECHS who have invested in third party audits to assure that they’re doing what they say they’re doing to protect client assets and IT systems.
As word about the DOL cybersecurity guidelines spread out to all companies and their vendors, and they get asked these questions over and over, it wouldn’t be surprising if service providers eventually provide you with a document to quickly give you the answers you’re looking for.
You can get a the tips document pdf on the DOL website here.
Online Security Tips
This part of the DOL’s cybersecurity guidelines recognizes the role that individuals play in keeping their identity and retirement assets safe. If you have an ongoing cybersecurity awareness program like KnowBe4 at your company, you’ve already taken the first steps to helping employees learn secure online behavior.
Some of the guidelines, however, may not be covered in your current training and employees may need some instruction and reminders to monitor their accounts.
Consider adding the online security tips to your employee handbook in the section where you cover retirement benefits. Then have the employee sign off when they’ve been trained. You may not be able to verify that they’re doing everything they should, but you can equip them with the knowledge they need to follow through.
You can get the Online Security Tips pdf document on the DOL website here.
Next Steps for Companies Handling Employee Retirement Account Info
If you’re just learning about these cybersecurity guidelines, you’re bound to have questions. The best thing to do is to start conversations within your company to discover the areas of security where you’re good and where you fall short. Cybersecurity includes both technical and non-technical layers, so your HR manager needs to be just as involved as your IT manager.
If you don’t have the expertise within your company to thoroughly assess your security status, you’d best find a consultant who can give you an objective opinion and give you recommendations on how to close up gaps.
How XPERTECHS Delivers Cybersecurity
Here at XPERTECHS, we provide cybersecurity along with Managed IT Services at the level that fits your risk tolerance. If you’ve been practicing cybersecurity at a basic level, it’s likely that you’ll have to up your game to meet the requirements that the Department of Labor is requiring.
Contact us to schedule a FREE consultation.