In April 2021, the U.S. Department of Labor (DOL) released new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cyber security. Third party administrators (TPAs) are required to follow certain rules of conduct and protect plan data and participant accounts. No matter how strong an organization’s policies are, it’s still vulnerable to an individual’s carelessness with passwords, emails, and other online behavior.
It is your responsibility to make sure that your employees are doing everything in their power to keep their accounts secure. Below, we have outlined the DOL’s best practices to help TPA firms stay on top of their cyber security systems.
1. Well-Documented Cyber Security Program
Your cyber security program should be comprehensive, identifying and assessing both internal and external risks that may threaten the confidentiality, integrity, and availability of stored personal information. Under the program, your TPA firm should implement information security (infosec) guidelines to keep IT infrastructure and data secure.
2. Annual Risk Assessments
Cyber risk is the likelihood of suffering significant disruptions to sensitive data, finances, or business operations. A cyber risk assessment is used to identify which of your organization’s assets are most vulnerable to infosec risks. The IT threat landscape is constantly evolving, so it’s important to design a manageable, effective risk assessment schedule.
3. Third Party Audit of Security Controls
Having a third party auditor evaluate your organization’s security controls gives a clear, unbiased picture of existing risks, vulnerabilities, and weaknesses. The Employee Benefits Security Administration (EBSA) would expect to see the following as part of its review:
- Audit reports, audit files, penetration test reports, and supporting documents.
- Audits and audit reports prepared and conducted per appropriate standards.
- Documented corrections of any weaknesses identified in the independent third party analyses.
4. Distinct InfoSec Roles and Responsibilities
A successful cyber security program must be managed by senior management and executed by qualified personnel. Typically, the Chief Information Security Officer (CISO) would be responsible for establishing and maintaining the vision, strategy, and operation of the program. Qualified personnel is expected to have:
- Sufficient experience, including any certifications
- Periodic background checks
- Regular training to address current cyber security risks
- Up-to-date knowledge of changing threats and countermeasures
5. Strong Access Control Procedures
Access control is a security technique that regulates who or what can view or use resources in a computing environment. It consists of two main components: authentication and authorization. There is a wide variety of best practices for TPA firms regarding access control, such as:
- Limiting access privileges based on the role of the individual
- Requiring employees to have unique, complex passwords
- Using multi-factor authentication wherever possible
6. Assessments of Assets or Data Stored in the Cloud
Cloud computing technology provides easy access to applications and resources without the need for expensive hardware and software. Data is stored with a third party provider and accessed over the internet. In other words, your organization has limited visibility and control over its data. To understand the security posture of a cloud service provider, TPAs should:
- Require a risk assessment of third party providers
- Define minimum cyber security requirements for third party providers
- Periodically evaluate third party providers based on potential risks
- Ensure that guidelines and contractual protections are upheld
7. Periodic Cyber Security Training for All Employees
An organization’s weakest link for cyber security is human error. An effective cyber security awareness program should set clear expectations for all employees and educate them on how to recognize threats, prevent cyber-related incidents, and respond to a potential threat. Identity theft is a leading cause of fraudulent disruptions, and therefore, should be a top training priority. TPAs also need to be on the lookout for individuals posing as authorized plan officials, fiduciaries, participants, or beneficiaries.
8. A System Development Life Cycle (SDLC) Program
The System Development Life Cycle, or SDLC, is a conceptual framework that outlines policies and procedures for developing or altering a system throughout its life cycle. There are seven main stages of the modern SDLC, from planning to operations and maintenance. A secure SDLC process includes penetration testing, code review, and architectural analysis as an integral part of the system development effort.
9. A Business Resiliency Program
Business resiliency is the ability to rapidly adapt and respond to an unexpected incident or crisis while maintaining continuous business operations and safeguarding people, assets, and data. A business resiliency program encompasses your organization’s business continuity plan, disaster recovery plan, and incident response plan.
10. Encryption of Sensitive Data, Stored or in Transit
Data encryption is a security method where information is encoded and can only be accessed or encrypted by a user with the correct encryption key. It involves converting human-readable plaintext into incomprehensible text, or “ciphertext”. A system should apply current standards for encryption keys, message authentication, and hashing to protect any and all data stored or in transit.
11. Strong Technical Controls Aligned with Best Security Practices
Technical security solutions are primarily implemented and executed through the mechanisms contained in your system’s hardware, software, or firmware components. For the best technical security, update all models and versions of these components, including AV software. You should also implement vendor-supported firewalls, intrusion detection, and prevention tools. Additional tasks include routine patch management and data backup — preferably automated to save time and complexity.
12. Cyber Security Incident or Breach Response
In the event of a cyber security incident or breach, several steps need to be taken to protect the plan and its participants. Your organization should notify all parties involved, including law enforcement, the insurer, and the affected plan and participants. Be sure to honor any contractual or legal obligations concerning the breach, and fix any issues to prevent a future attack.
Cyber Security for TPA Firms in NJ & FL
Mindcore is proud to work with companies across all industries, including third party administrators. TPAs are not immune to cyber-attacks and data breaches, which is why we offer customized cyber security solutions in New Jersey and Florida. We will protect your network and IT systems while you focus on serving your clients. Contact us today to schedule a consultation!