Article
Typically, when the U.S. Department of Labor (“DOL”) issues a new rule or guidance on fiduciary responsibility, it takes a long period before it gets its audits of plan sponsors underway. That was not the case with the DOL’s cybersecurity program.
The addition of cybersecurity to routine retirement plan audits conducted by the DOL’s enforcement arm, the Employee Benefits Security Administration (“EBSA”), began almost immediately after it published its guidelines in 2021. Since then, the EBSA has made examining cybersecurity governance practices a standard activity in all its retirement plan audits.
Agility in the Face of Enforcement
Employers that have integrated governance, risk management, and compliance (“GRC”) techniques into their retirement plan frameworks have fared better than their counterparts in mitigating the impact of a surge in plan audits.
When responding to a DOL cybersecurity audit, agile employer organizations maintained a library that demonstrate their compliance with cybersecurity regulations and best practices. Here is a list of must-have documents:
- Information security policy
- Acceptable use policy
- Incident response plan
- Business continuity and disaster recovery plan
- Access control policy
- Data classification and handling policy
- Records of risk assessments
- Risk management plans
- Evidence of risk mitigation strategies
- Network architecture diagrams
- Asset inventory
- Records of security controls in place (firewalls, encryption, intrusion detection/prevention systems)
- Security awareness training records for employees
- Records of past cybersecurity incidents and responses
- Logs of incident detection and response activities
- Records of compliance with relevant cybersecurity standards and regulations (e.g., NIST and ISO 27001)
- Results of any third-party security assessments or audits
- Vendor management documentation
- Training records for cybersecurity awareness programs
- Records of security briefings or communications to employees
- System and application documentation
- Security configuration standards and baselines
- Records of system logs and monitoring activities
- Evidence of log retention and review processes
- Reports from security tools and systems
- Compliance status reports
- Results of vendors’ vulnerability assessments and penetration tests
- Evidence of vendors’ regular security testing activities
It’s important to ensure that all the documentation provided is accurate, up-to-date, and reflects the organization’s actual cybersecurity posture.
Additionally, the specific requirements for documentation may vary depending on whether it is a stand alone cybersecurity audit or embraces the entire scope of retirement plan operations.