The Department of Labor published a Best of Practices for ERISA plan fiduciaries regarding cybersecurity, recently. These items are great points to review and consider for most industries and employers.
To emphasize how crucial cybersecurity vigilance is, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, wrote in a letter today to the National Security Council: “There has been a significant hike in the frequency and size of ransomware attacks. The threats are serious and they are increasing.” “We urge businesses to review their policy and procedures regarding cybersecurity.”
We have highlighted the takeaways from the ERISA document. For the full document: Cybersecurity Program Best Practices (dol.gov)
- Have a formal program that identifies risks, provides protection, monitors for events, has a recovery component, complies with required disclosures, and a plan to restore normal operations.
- Perform an Annual Risk Assessment that addresses the constantly changing environment and industry. Consider hiring a third party to audit for controls.
- Clearly define and assign information security roles and responsibilities.
- Implement strong access control procedures. Only allow access to those who need it through authentication and authorization.
- Review third party agreements if using cloud or managed third party assets. Review their risk assessments, verify that they meet your minimum-security requirements (multi-factor authentication, encryption, notification protocol), and periodically assess their risks.
- Train all personnel on cybersecurity. Employees tend to be the weakest link.
- Integrate security into development of in-house applications from penetration testing to code review to architectural weaknesses.
- Plan for an event. Address business continuation and recovery and handling of any incident. Be sure to consult your attorney or general counsel. They should be included in any team developed to address cyber security. There is value to having them handle the interface with law enforcement when reporting and investigating a breach or cyber incident.
- Encrypt sensitive data and data being transmitted.
- Put in place strong technical controls. Always update your software and firmware to the latest version. Backup your data locally and offsite. Segregate your network. Install antivirus software and firewalls.
- Be responsive when there is a breach. Have a protocol that includes notifying law enforcement and your insurer, investigating the incident, communicating with those affected, and repairing the problems to prevent reoccurrence.
If your business needs assistance in reviewing policy and procedures or in developing a breach protocol, call the office to schedule an appointment with Loper Law LLC.