Skip to main content

You are here

Advertisement

Cybersecurity Best Practices, DOL Style: Looking Ahead

Practice Management

Editor’s Note: This is the fifth in a series about the guidance the Department of Labor’s Employee Benefits Security Administration (EBSA) issued on April 14 concerning cybersecurity. The first is here; the second is here; the third is here; the fourth is here

The Department of Labor’s Employee Benefits Security Administration (EBSA) on April 14 issued comprehensive guidance on cybersecurity from a variety of perspectives. This includes in-depth guidance on best practices to follow when seeking to protect the security of retirement accounts and plan data—and part of that is setting and using procedures that are forward-thinking.  

Business Resiliency

EBSA stresses the importance of ensuring that a business will continue operation, and argues for the adoption of a business resiliency program which effectively addresses business continuity, disaster recovery and incident response.

EBSA defines “business resilience” as the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data. It says that the following are core components of such a program. 

Business Continuity Plan. The guidelines define this as the written set of procedures an organization follows to recover, resume and maintain business functions and their underlying processes at acceptable predefined levels following a disruption. 

Disaster Recovery Plan. EBSA defines this as the documented process by which an organization’s IT infrastructure, business applications, and data services can be recovered and resume if a major disruption occurs. 

Incident Response Plan. This is a set of instructions to help IT staff detect, respond to and recover from security incidents.
An effective business resiliency program, says EBSA, should: 

  • Reasonably define the internal processes for responding to a cybersecurity event or disaster. 
  • Reasonably define plan goals. 
  • Define the documentation and reporting requirements regarding cybersecurity events and responses. 
  • Clearly define and describe the roles, responsibilities, and authority levels. 
  • Describe external and internal communications and information sharing, including protocols to notify plan sponsor and affected user(s) if needed. 
  • Identify remediation plans for any identified weaknesses in information systems. 
  • Include after action reports that discuss how plans will be evaluated and updated following a cybersecurity event or disaster. 
  • Be tested annually based on possible risk scenarios.

Responding to Cybersecurity Incidents or Breaches 

The guidance says that appropriate action should be taken when a cybersecurity breach or incident occurs, in order to protect the plan and its participants. Such action, EBSA says, includes: 

  • informing law enforcement;
  • notifying the appropriate insurer;
  • investigating the incident;
  • giving affected plans and participants the information necessary to prevent/reduce injury;
  • honoring any contractual or legal obligations regarding the breach, including complying with agreed upon notification requirements; and
  • fixing the problems that caused the breach to prevent its recurrence.