DOL on the Prowl for Cybersecurity; Goes Further than SEC and NIST
A large cyberattack on U.S. infrastructure – this time a ransomware attack that shut down the Colonial Pipeline – has left us with a sharp reminder that cybersecurity threats are constant and real, and that we must remain vigilant. Financial services is one of the 16 critical infrastructure sectors defined by NIST, and the threats to financial firms continue to grow. Just weeks earlier, the U.S. Department of Labor stepped up its expectations of firms when it comes to cybersecurity. On April 14, 2021, the DOL released a set of three separate cybersecurity risk alerts in which it described expectations and requirements that fiduciaries should be following.
The first DOL guidance update states that “plan sponsors should use service providers that follow strong cybersecurity practices,” and provides Tips for Hiring Service Providers which sets forth factors that plan sponsors and fiduciaries should consider in making that determination. The DOL guidance recommends conducting due diligence of service providers’ cybersecurity standards, policies and procedures, testing, occurrence of incidents and breaches, contractual terms for protection of information, and whether the provider maintains cyberinsurance. These are all consistent with what the SEC recommends, and with prior CSS recommendations regarding effective vendor oversight. The DOL goes a step further to state that plan fiduciaries should attempt to add language to service contracts that mandate an independent security audit of the provider. Interpreting the DOL guidance, CSS recommends that plan fiduciaries document their vendor oversight with due diligence questionnaires and regularly refresh those responses.
A Well-Documented Information Security Program
The second DOL guidance update details Cybersecurity Program Best Practices for ERISA plan recordkeepers and other service providers. The guidance distills to a collection of best practices on having a well-documented information security program that covers governance, access controls, encryption, software development lifecycle (SDLC), BCP, and incident response, as well as annual cyber risk assessments, regular independent security testing, and periodic security awareness training. The DOL guidance for a well-documented cybersecurity program follows the NIST Cybersecurity Framework supported by the SEC, which organizes cyber controls into 5 buckets: (1) Identity , (2) Protect, (3) Detect, (4) Respond, and (5) Recover. The DOL adds disclosure and restoration as categories; however, NIST and the SEC tend to cover both of these under the Respond and Recover functions.
The DOL states that cybersecurity policies should cover the following (which align with SEC expectations and which CSS covers when assisting firms in creating information security policies and procedures):
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery
- Configuration management
- Asset management
- Risk assessment
- Data disposal
- Incident response
- Systems operations
- Vulnerability and patch management
- System, application and network security and monitoring
- Systems and application development and performance
- Physical security and environmental controls
- Data privacy
- Vendor and third party service provider management
- Consistent use of multi-factor authentication
- Cybersecurity awareness training, which is given to all personnel annually
- Encryption to protect all sensitive information transmitted and at rest
Staying Safe Online
The third DOL guidance update details Online Security Tips meant to educate plan participants in keeping their retirement accounts secure. These tips include regularly monitoring online accounts, using strong passwords with multifactor authentication, avoiding public wireless networks when feasible, watching out for phishing attacks, and maintaining current antivirus protection and updated software patches. Here, the DOL goes further than current NIST guidance by recommending passwords be at least 14 characters long rather than the 8 characters recommended by NIST.
As additional regulators take a closer look at financial organizations’ cybersecurity posture, it is imperative that firms periodically evaluate the effectiveness of their information security controls. A firm’s fiduciary duty to clients clearly includes an obligation to reasonably safeguard information entrusted to the firm by these clients. For information about how CSS’s cybersecurity experts can help you assess, protect, and monitor your information security program, please contact us at firstname.lastname@example.org .