Cybersecurity Guidance Issued by the Employee Benefits Security Administration
The Employee Benefits Security Administration (EBSA) issued its first cybersecurity guidance in April 2021 to help plan sponsors and plan fiduciaries regulated by the Employee Retirement Income Security Act of 1974 mitigate internal and external cybersecurity threats. The guidance includes tips in the form of cybersecurity program best practices for record-keepers and other service providers responsible for plan-related IT systems and data to follow.
The 12 best practices outlined by the EBSA include:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable, annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Whenever guidance is issued by regulators, audit activity typically follows.
BKD Cyber can help you assess your security posture and implement these best practices to be prepared for any regulator audit that may commence in the near future. Please contact us at bkdcyber.com for more information.