As a practical matter, impacted companies will want to review and confirm that their organizations’ actions align with the guidance, particularly with respect to how they oversee the third parties hired to administer such plans. And while much of the content of the new cybersecurity guidance will be familiar to those who have worked with plans covered by the Health Insurance Portability and Accountability Act (HIPAA), there are some differences. For example, EBSA references explicitly the use of additional specific elements such as secure system development and multi-factor authentication.
EBSA’s guidance comes in the form of three related documents. The first document is aimed at plan service providers—those responsible for plan-related IT systems and data—and is also instructive for those who hire them. The second and third documents are shorter and provide guidance to plan sponsors on conducting due diligence when hiring service providers and to employees seeking to protect their benefit accounts, respectively.
1. Cybersecurity Program Best Practices for Service Providers
The most substantial guidance document, Cybersecurity Program Best Practices, sets forth suggested cybersecurity practices for those responsible for plan-related IT systems and data. The document notes that plan fiduciaries should consider service providers’ alignment with the following 12 “best practices” when making hiring decisions:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Many of these practices will be familiar to those that support certain types of regulated plans, such as health plans governed by HIPAA and its implementing regulations, or have designed their cybersecurity programs and controls to align with other prescriptive cybersecurity laws, regulations, and frameworks. For example, #10 calls for sensitive data to be encrypted at rest and in transit, which is similar to HIPAA’s encryption requirements as well as the New York Department of Financial Services (NYDFS) Cybersecurity Regulations, and #2 calls for regular risk assessments akin to similar requirements under HIPAA and NYDFS regulations. EBSA’s guidance in some cases includes a level of specificity beyond HIPAA and certain other cybersecurity laws/regulations, however, such as in #5 which recommends multifactor authentication be used “wherever possible” (whereas HIPAA merely requires regulated entities to evaluate appropriate authentication mechanisms) and review of access privileges occur at least every three months (whereas HIPAA requires periodic access reviews, without specifying frequency).
Other noteworthy aspects of EBSA’s guidance, as compared to other cybersecurity laws and regulations such as HIPAA, include the following:
- Extent of cybersecurity program documentation (#1). Numerous laws and regulations require in-scope entities to maintain a written information security policy that covers a range of topics. EBSA’s guidance includes 18 different areas that are expected to be addressed in “formal and effective policies and procedures,” including certain topics (such as systems operations, systems and application development and performance, and consistent use of multi-factor authentication) that are not identified frequently in other cybersecurity laws and regulations.
- Annual third-party audit of security controls (#3). Although relatively common in practice (e.g., SOC 2 audits), other cybersecurity laws and regulations typically do not require entities to undergo independent third-party audits nor require annual completion. In addition, the EBSA guidance calls out penetration test reports as an element of an “effective audit program,” which may be familiar to many entities but is not frequently called out specifically in other cybersecurity requirements.
- Secure system development life cycle (“SDLC”) program (#8). The EBSA guidance includes prescriptive “best practices” around how applications are configured and tested, for example calling out the presumptive default that alerts trigger on changes in an individual’s account information, and that customer-facing applications undergo annual penetration tests.
- Specific aspects of incident/breach response (#12). Although #9 includes general incident response plans and processes within its discussion of business resiliency, this element of the guidance singles out specific external stakeholders where EBSA expects to see communication and coordination, most notably law enforcement and insurers (in addition to the affected plans and participants) – whereas other cybersecurity frameworks may reference the potential for law enforcement coordination without encouraging or requiring it.
2. Advice for Plan Sponsors and Employees
The second document, Tips for Hiring a Service Provider with Strong Cybersecurity Practices, directs plan sponsors to conduct due diligence when selecting service providers. According to EBSA’s guidance, fiduciaries should be prudent in selecting plan service providers, evaluating their cybersecurity practices and track records. Fiduciaries should also ensure that their contracts permit them to adequately monitor service providers’ compliance with cybersecurity standards.
3. Consumer-Directed Advice
The third and final document, Online Security Tips, provides guidance to help employees secure their benefit accounts. The tips include choosing strong passwords, enabling multifactor authentication, watching out for phishing, using an antivirus, and monitoring and updating online accounts.
Cybersecurity continues to be a top risk for almost all entities. EBSA’s new guidance demonstrates how another agency has stepped forward to articulate expectations for entities regulated under its authority. Companies will be prudent to review and consider how best to address the new guidance, as its requirements are reasonably likely to become a point of reference in any litigation or enforcement actions stemming from a breach or other type of cybersecurity incident that affects ERISA-covered benefits plan data.
Authored by Paul Otto, Harriet Pearson, and Jacob Wall.