Practical Tip
The DOL’s Advisory Council on Employee Welfare and Pension Benefit Plans identified seven categories of practices that should be present in a prudent data security framework.
Data security practices should be dynamic and adaptive
Seven Practices that Reduce Data Security Risk
- Implementation and Monitoring
For a strategy to be successful, someone should have responsibilities for strategy implementation within the plan sponsor organization, the fiduciary body and at third party service providers. Once ownership is identified, the frequency at which the strategy will be reviewed and potentially updated should be established.
- Testing and Updating
All entities involved in benefit plan cybersecurity should agree to the frequency and type of testing procedures to be conducted and by whom. Consideration may also be given as to whether outside certifications, such as the HITRUST model or SOC2 reporting for vendors, may help streamline testing procedures. Plan sponsors and service providers also might want to consider consulting a cybersecurity expert to determine the best testing approaches for the plan.
- Reporting
When developing a benefit plan policy and procedures, plan fiduciaries should consider the level and frequency of reporting including, if applicable, any established benefits committees, the investment committee or other named fiduciaries as identified within the plan’s delegation structure.
- Training
Data security is a people issue and training is critical. A key component of any data security policy should include training staff involved with benefit plans or with direct or indirect access to benefit plan data.
- Controlling Access
Given the importance of people in a data security strategy, plan fiduciaries should understand exactly who has direct or indirect access to sensitive data and they should endeavor to limit access to data as much as possible.
- Data Retention and Destruction
In addition to limiting who can access data, plan fiduciaries should consider limitations on data sharing, data storage and data retention periods. Many experts recommend limiting data sharing and storage to the minimum necessary to execute a function and satisfy responsibilities to reduce the impact of breaches.
- Third-Party Risk Management
Plan sponsors should understand service providers’ security programs regarding data shared and stored. A first step is to inventory all service providers who have involvement with the plan’s participant and asset data. The second step is to understand whether those service providers outsource activities to other providers. Once a comprehensive list has been developed, plan sponsors should consider requesting information on each provider’s security procedures and how they impact their benefit plans or an industry recognized certification / audit.