There have been a rash of high-profile cyberattacks in the United States recently. Some of the more visible public attacks include SolarWinds, the Microsoft Exchange attack, Accellion, the Florida Water Treatment Plant and, more recently, the devastating cyber-attacks against Colonial Pipeline. These attacks, while disruptive, also yielded high-dollar payments to the cyber-threat actors.
ERISA-covered plans hold just under $10 trillion in assets and these plans are particularly enticing for cyber-threat actors. Although the Colonial Pipeline cyberattacks was executed by a coordinated hacking group, cyberattacks on ERISA-covered plans have historically been less complex. A typical scenario involves a retired employee’s ERISA account being accessed by an imposter, who then steals the account balance.
With the increasing frequency of cyberattacks, it seems probable that coordinated execution will find its way to the substantial assets held in ERISA-covered plans. Foreshadowing this scenario, on April 12, 2021, the U.S. Department of Labor (DOL) issued guidance on cybersecurity best practices to help mitigate the risk caused by cyber-threat actors on ERISA-covered plans.
While the best practices are voluntary, they appear to establish minimum expectations of ERISA-covered plans and fiduciaries. The DOL notes that ERISA requires plan fiduciaries to take appropriate precautions to mitigate the risks, from both internal and external cybersecurity threats, to the assets of ERISA-covered plans. In that regard, the DOL recommends the following twelve best practices for cybersecurity:
- Create a formal, well-documented cybersecurity program;
- Conduct annual cyber-risk assessments to identify and prioritize system risks;
- Conduct a reliable and annual third-party audit of cybersecurity controls on your network;
- Clearly define and assign roles and responsibilities for your information security staff;
- Implement strong access control procedures on your IT network to guarantee that users are who they say they are;
- Assets or data stored in the cloud, or managed by a third party, must be subject to appropriate security reviews and independent security assessments;
- Ensure your business conducts annual cybersecurity awareness training for all personnel to reflect risks identified by your most recent risk assessment;
- Implement a secure system development life cycle program that includes such activities as penetration testing and code review;
- Adopt an up-to-date and effective Business Continuity Plan, Disaster Recovery Plan and a Written Incident Response Plan (WISP);
- Encrypt network sensitive data while at rest and while in transit;
- Network must have strong technical controls implementing best security practices, including regular patch management updates, network segregation and routine data backup; and
- Adopt a plan to respond quickly and effectively to a cybersecurity incident or breach.
While there is no panacea that will ensure complete cybersecurity, these best practices are strong steps toward better securing ERISA-covered plans and fiduciaries from malicious cyber-threat actors. These recommendations should be seriously considered and the implementation of them properly documented to illustrate compliance with the DOL guidance.