DOL cybersecurity topics

[AlbanyConsultant]

I'm having a meeting with my cybersecurity consultants on Monday, and I figured I'd bring them the latest guidance we have to try and follow.  Are those 3 pdfs from the DOL in April 2021 (news release here) pretty much what we have officially (or semi-officially)?  Thanks.

[Patty]

DOL has been doing audits on this already, and they have added extensive questions on it to their pre-audit information request letters. I have not seen such a letter - but there is a lot of chatter about it, and checklists circulating.

[MoJo]

Here's the relevant parts of one a client of our received last November:

 

32. Plan’s (and/or any entity with access to plan assets and data) cybersecurity breach response plan (or disaster recovery plan if it addresses a potential cybersecurity breach).

33. Schedule of systems critical to the maintenance and protection of Plan participant data and assets.  Provide information sufficient to:

a.   Describe the critical data used by the Plan (i.e., Payroll records; Elections and beneficiary forms; Electronic personnel records; Plan data maintained in house or with custodians, etc.)

b.   Identify where the data resides.

c.   Show which systems (and data) are outsourced to service providers (e.g. cloud

email).

d.   Describe any spreadsheets that are used as critical systems (e.g. census data).

e.   Describe file sharing systems (e.g., shared folders on a network). f.   Describe how email is used to administer the Plan.

 34. For each system identified in the schedule requested in request #32, provide information sufficient to describe:

a.   Access controls (e.g., who has administrator privileges to the email server?)

b.   Physical controls over key systems (e.g., locked server room).

c.   Third-party vendors providing outsourced systems and oversight (e.g., cloud provider).

 35. If applicable, for internally developed systems, copies of system development lifecycle controls required by the organization.

 36. Documents showing any communications or reports related to cybersecurity events, cybersecurity breaches, unauthorized access, or suspicious activity (i.e. participant benefit inquiries, participant complaints, internal or external communications with company staff and vendors), including documentation showing potential losses to Plan assets as a result of the cybersecurity events.

37. To the extent not produced in response to the requests above, provide all documents constituting or reflecting the Plan’s processes for the encryption of sensitive data, stored and in transit.

[Lois Baker]

Here are some additional resources.

[David L]

One of the TPA requirements is to get an outside cyber audit. Is anyone actually doing this?

[MoJo]

3 minutes ago, David L said:

One of the TPA requirements is to get an outside cyber audit. Is anyone actually doing this?

First, it's one of the "recommendations" - not a requirement (although DOL recommendations should be taken seriously by fiduciaries) and yes, we do (as a bundled/unbundled recordkeeper).  There is a "NIST" standard, and those who conduct risk audits based on that standard.  We also have a SOC-2 audit....

[Peter Gulia]

It’s typical for a recordkeeper to get assurance reports of the kinds MoJo describes.

But is an assurance report about data security typical for a third-party administrator (one that’s not part of, and not affiliated with, a recordkeeper)?

[MoJo]

11 hours ago, Peter Gulia said:

It’s typical for a recordkeeper to get assurance reports of the kinds MoJo describes.

But is an assurance report about data security typical for a third-party administrator (one that’s not part of, and not affiliated with, a recordkeeper)?

I think it's hard to generalize here - because the services of TPAs vary widely.  For example, we work with TPAs (in addition to our bundled offering), and in most cases, those TPAs don't "handle" any of the client's data.  All data comes directly to us from the plan sponsor, and then the TPA accesses that data via a portal to do what they do.  It's on us to secure the data, and the portal is via a secure link.  Not sure what would be audited.  Other TPAs do handle the data more directly for various services (I used to work for a TPA that had it's own web portal for participants to do various things - like request distributions, change deferrals, etc and then they passed the data off to the recordkeeper).

I'm sure there are some that have cybersecurity assurance audits, but perhaps the better question(s) are should they, and under what circumstance would that be appropriate/required (given the current data security environment).

[Peter Gulia]

MoJo makes the sensible point that a TPA might not need its auditor’s review of some other person’s controls.

So, let’s ask these questions:

If a TPA often or sometimes works with data when the data is on the TPA’s system (rather than in the custodian’s, recordkeeper’s, or employer/administrator’s system), should such a TPA engage a data-security audit (focused on what would be on the TPA’s system)?

Even if a TPA always works with data sitting only on someone else’s system, should such a TPA nonetheless engage a data-security audit about the TPA’s controls for identifying the TPA’s users and safeguarding a user’s powers to access others’ systems?