The guidance has 12 recommendations. A summary of each follows:
No. 1: Establish a Formal Cybersecurity Program. This includes developing and maintaining a program that identifies and assesses internal and external cybersecurity risks.
No. 2: Conduct Annual Risk Assessments. Plan sponsors should regularly evaluate potential threats to their IT infrastructure.
No 3: Third-Party Audits: Independent auditors should assess a plan sponsors security posture. This can help identify any vulnerabilities and weaknesses from an unbiased perspective.
No. 4: Clearly Define and Assign Information Security Roles and Responsibilities. It is important for plan sponsors to define roles and duties within the organization to effectively manage the cybersecurity program.
No. 5: Implement Strong Access Controls. Plan sponsors should use multifactor authentication and limit personnel access to sensitive data and systems.
No. 6: Use Cloud or Managed Service Providers. This includes ensuring that all third-party service providers undergo security assessments to ensure that plan participants’ sensitive data is adequately protected.
No. 7: Provide Cybersecurity Awareness Training. It is important for plan sponsors to continually and frequently educate all employees on cybersecurity risks.
No. 8: Develop a Secure System Development Life Cycle Program. This includes incorporating security measures throughout the development and maintenance of systems to prevent vulnerabilities.
No. 9: Implement a Business Resiliency Program. Establish business continuity, disaster recovery, and incident response plans, all of which can help plan sponsors and fiduciaries to quickly address and recover from cybersecurity attacks.
No. 10: Encrypt Sensitive Data. This includes encrypting all data both at rest and in transit to prevent unauthorized disclosure.
No. 11: Implement Strong Technical Controls. Plan sponsors should keep hardware, software, and firmware models up to date to ensure there are no vulnerabilities. Additionally, it is important to have up-to-date backups and network segmentation.
No. 12: Appropriately Respond to Any Past Cybersecurity Incident. Have protocols in place when notifying law enforcement, investigating the incident and hardening the IT infrastructure to prevent a security incident from reoccurring. In addition, plan sponsors should have a plan for determining when to notify affected individuals, as well as state and federal regulators.
The guidance is meant to help plan sponsors and fiduciaries enhance their cybersecurity posture. By adhering to these guidelines, plan sponsors and fiduciaries demonstrate their commitment to safeguarding sensitive information.
To learn more about the guidance, please click here.
