Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

U.S. Department of Labor Issues Cybersecurity Guidance for ERISA-Covered Plans

Share

There have been a rash of high-profile cyberattacks in the United States recently. Some of the more visible public attacks include SolarWinds, the Microsoft Exchange attack, Accellion, the Florida Water Treatment Plant and, more recently, the devastating cyber-attacks against Colonial Pipeline. These attacks, while disruptive, also yielded high-dollar payments to the cyber-threat actors.

ERISA-covered plans hold just under $10 trillion in assets and these plans are particularly enticing for cyber-threat actors. Although the Colonial Pipeline cyberattacks was executed by a coordinated hacking group, cyberattacks on ERISA-covered plans have historically been less complex. A typical scenario involves a retired employee’s ERISA account being accessed by an imposter, who then steals the account balance.

With the increasing frequency of cyberattacks, it seems probable that coordinated execution will find its way to the substantial assets held in ERISA-covered plans. Foreshadowing this scenario, on April 12, 2021, the U.S. Department of Labor (DOL) issued guidance on cybersecurity best practices to help mitigate the risk caused by cyber-threat actors on ERISA-covered plans.

While the best practices are voluntary, they appear to establish minimum expectations of ERISA-covered plans and fiduciaries. The DOL notes that ERISA requires plan fiduciaries to take appropriate precautions to mitigate the risks, from both internal and external cybersecurity threats, to the assets of ERISA-covered plans. In that regard, the DOL recommends the following twelve best practices for cybersecurity:

  1. Create a formal, well-documented cybersecurity program;
  2. Conduct annual cyber-risk assessments to identify and prioritize system risks;
  3. Conduct a reliable and annual third-party audit of cybersecurity controls on your network;
  4. Clearly define and assign roles and responsibilities for your information security staff;
  5. Implement strong access control procedures on your IT network to guarantee that users are who they say they are;
  6. Assets or data stored in the cloud, or managed by a third party, must be subject to appropriate security reviews and independent security assessments;
  7. Ensure your business conducts annual cybersecurity awareness training for all personnel to reflect risks identified by your most recent risk assessment;
  8. Implement a secure system development life cycle program that includes such activities as penetration testing and code review;
  9. Adopt an up-to-date and effective Business Continuity Plan, Disaster Recovery Plan and a Written Incident Response Plan (WISP);
  10. Encrypt network sensitive data while at rest and while in transit;
  11. Network must have strong technical controls implementing best security practices, including regular patch management updates, network segregation and routine data backup; and
  12. Adopt a plan to respond quickly and effectively to a cybersecurity incident or breach.

While there is no panacea that will ensure complete cybersecurity, these best practices are strong steps toward better securing ERISA-covered plans and fiduciaries from malicious cyber-threat actors. These recommendations should be seriously considered and the implementation of them properly documented to illustrate compliance with the DOL guidance.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

About the Author: Jeremy Pelphrey

Jeremy is a partner in the firm's Benefits & Executive Compensation group. Read Jeremy's full bio on the Faegre Drinker website.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
June 30, 2021
Written by: Jason G. Weiss and Jeremy Pelphrey
Category: Cybersecurity
Tags: cyberattack, DOL, ERISA

Post navigation

Previous Previous post: Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks
Next Next post: Colorado Privacy Act: The Patchwork of State Privacy Regimes Grows

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT