Here's some ways to protect your employees' valuable information from cybercriminals

Frank Nemia

Last year, the U.S. Department of Labor announced guidance for plan sponsors, record keepers, plan fiduciaries, and plan participants on common practices for maintaining cybersecurity — guidance that remains true for this year and beyond.

Retirement plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them attractive targets for cybercriminals. Plan governance/fiduciaries have the responsibility to maintain proper controls and practices to keep these assets safe.

The following list, prepared and issued by the Employee Benefits Security Administration United States Department of Labor, contains well-advised practices for any organization that offers an employee benefit program:

• Have a formal, well documented cybersecurity program.

• Conduct prudent annual risk assessments.

• Have a reliable annual third-party audit of security controls.

• Clearly define and assign information security roles and responsibilities.

• Have strong access control procedures, special consideration should be given to implementing multi-factor authentication.

• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

• Conduct periodic cybersecurity awareness training.

• Implement and manage a secure system development life cycle (SDLC) program.

• Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

• Encrypt sensitive data, stored and in transit.

• Implement strong technical controls in accordance with best security practices.

• Appropriately respond to any past cybersecurity incidents.

• Establish a vendor risk management program requiring all third-party vendors, IT, and service providers to submit information regarding their security risk mitigation strategy. Risk can also be reduced by restricting vendor access only to information/data needed to conduct their work.

Frank Nemia
Frank Nemia

There is no such thing as being too careful when it comes to protecting your employees’ personal information. By implementing and maintaining sound security practices, both you and your workforce can rest a little easier this year and well into the future.

For more information on cybersecurity, contact Frank Nemia at francis.nemia@CLAconnect.com or 617-658-5224. For more information on CliftonLarsonAllen LLP, visit CLAconnect.com.

This article originally appeared on The Patriot Ledger: U.S. Department of Labor practices for employee benefit programs

Advertisement