Tech & Sourcing @ Morgan Lewis


Last week, we posted on the guidance issued by the US Department of Labor (DOL) for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on cybersecurity best practices. Last week’s post focused on the guidance provided for hiring a service provider. In this week’s post, we will highlight some the DOL’s cybersecurity program best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data.

  1. Formal, well-documented cybersecurity program. The service provider should have a formal program under which the service provider implements security policies, procedures, guidelines, and standards to protect the security of its IT infrastructure and data stored on its systems. The guidance lists topics that the program should cover, including access controls and identity management, business continuity and disaster recovery, asset management, incident response, and physical security.
  2. Annual third-party audit of security controls. The service provider should have an independent auditor assess its security controls on an annual basis. As part of the audit, the service provider should provide a report to the plan fiduciary and remediate weaknesses identified by the audit.
  3. Strong access controls. Access control is a method of authenticating users and limiting access to systems and data. Some examples of access controls are implementation of access privileges on a need-to-access basis, use of complex passwords, and multifactor authentication.
  4. Annual training. A service provider’s cybersecurity program should include annual training of the service provider’s personnel on its policies, procedures, guidelines, and standards for protecting IT systems and data.
  5. Business continuity and disaster recovery. The service provider should have one or more business continuity and disaster recovery plans to recover, resume, and maintain services following a disruption.
  6. Encryption. The service provider should encrypt data to protect its confidentiality and integrity.
  7. Technical controls. The service provider should implement technical controls to protect its IT systems and data. Examples of technical controls are anti-virus software, routine patch management, and data backup.
  8. Cybersecurity incident response plan. The service provider should have a response plan for cybersecurity incidents that includes, without limitation, providing notice of the incident to the plan sponsor and/or plan fiduciary, investigating the incident, complying with applicable data privacy laws and remediating the issue(s) that caused the incident.

We encourage our readers to review the guidance for more information, including information on additional cybersecurity best practices.