The Advisory Council on Employee Welfare and Pension Benefit Plans, referred to as the “ERISA Advisory Council,” recently released its November 2016 report to the Department of Labor with cybersecurity considerations for benefit plans.
The Report, which can be accessed here, is an examination of cybersecurity considerations relating to pension and welfare benefit plans. It is intended to provide help for plan sponsors, fiduciaries and service providers in developing a cybersecurity program. The report focuses on outlining cyber risk management strategies that can be scaled to plan sponsor plan size, type and resources. The report includes materials to use when developing a cybersecurity plan.
The Council observed that benefit plans, which maintain and share sensitive employee data, are often left out of a company’s security posture. This information should be specifically considered when implementing cybersecurity risk management measures.
The Counsel says the following are necessary for starting a cybersecurity approach for benefit plans:
- Understand plan data
- Consider a framework
- Process Considerations, including implementation, monitoring, testing and updating
- Report
- Train
- Control Access
- Consider Data Retention and Destruction
- Third Party Risk Management
Employers should specifically consider their benefit plan data when formulating cybersecurity plans and processes.
