Compliance Cybersecurity DOL Employee Benefits Regulatory U.S. Webcast

Five Ways to Prepare for a Cybersecurity Audit

Jenny Gartman, CEBS

Data breaches are not just a risk for IT—They can affect people, compliance and fiduciary responsibility. Health records are valuable targets on the dark web, so health plan administrators and their vendors must protect them.

The U.S. Department of Labor (DOL) Employee Benefits Security Administration (EBSA) is seriously prioritizing cybersecurity audits in 2026, according to an update on national enforcement projects. This year, EBSA investigators are well-equipped to evaluate cybersecurity programs, and we have a clear idea of what they are looking for during audits, Julie Tracy, manager of cybersecurity advisory at Withum, told the audience during a recent International Foundation webcast. This blog highlights annual actions and documentation that DOL expects to see during cybersecurity audits.

Five Annual Activities That DOL Expects Compliance With During Cybersecurity Audits

Tracy highlighted several essential updates from DOL’s cybersecurity program best practices. To stay compliant, the following activities must be reviewed and approved annually (or more frequently, as noted): written policies, role-based access controls, security awareness training, independent assessments of cybersecurity program effectiveness and vendor assessments. (Note, this list is not exhaustive; refer directly to DOL compliance assistance resources.)

Review and approve written policies annually. Policies and procedures set parameters for a cybersecurity program, ensuring consistency and continuity despite personnel changes. Multiemployer plan trustees must approve policies annually. If no changes are needed, that’s acceptable. Record approval on the policy cover sheet, trustee meeting agenda and meeting minutes. Note the review date and specify that the approval is for the next 12 months.

Review role-based access controls quarterly. Access control is a method of guaranteeing that access to systems, assets and associated facilities is limited to authorized users, devices, activities and transactions. DOL requires access privileges to be role-based and follow the need-to-access principle, ensuring individuals have only the minimum permissions needed for their duties.

Tracy described a hypothetical HR report that lists roles and responsibilities for all individuals, assigns an individual to a group and assigns an access control to the group.

DOL’s best practice includes reviewing user access every three months to promptly disable or delete accounts of people who left the organization or have excessive permissions.

Security awareness training is required annually for all employees. However, monthly or quarterly frequency was recommended, as trainees can better remember and act on their training with more frequent sessions. With longer breaks between training, people could forget; at any shorter interval, people might tune out.

Employees are often an organization’s weakest link for cybersecurity.  Employees often work under pressure to multitask and respond quickly, making it hard to slow down and check unusual requests. Plus, artificial intelligence (AI) is making phishing harder to detect. Many workers are still clicking links, replying to messages or verifying requests only after taking action, according to a report by Sagiss.

The goal of training is to make sure everyone understands their role in protecting the organization. A comprehensive cybersecurity security awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attacks, help prevent cyber-related incidents and respond to potential threats. Keep current on cyber threat trends and evolving efforts to exploit unauthorized access to systems. The training should not list the same things repeatedly; it needs to be new and refreshed every single time training is delivered, Tracy noted. Be on the lookout for individuals falsely posing as authorized plan officials, fiduciaries, participants or beneficiaries, according to DOL’s best practices.

Penetration testing annually. DOL expects to see documented annual penetration (pen) testing. A manual pen test is when a vendor simulates a threat actor to more realistically attempt what a hacker would do (i.e., the pen tester is breaching systems and attempting to exploit the vulnerabilities that they find). Retain detailed documentation on the scope of the test, identify any vulnerabilities found, and describe the measures implemented to address and remediate those vulnerabilities.  

Vendor assessment annually. Ensure that all vendors with access to participant data have a cybersecurity policy aligned with DOL best practices. Tracy shared the following key steps to follow: evaluate each vendor’s controls, rate their risk level with your plan’s data and determine whether they can promptly implement a cybersecurity program when needed.

Learn More

Cybersecurity is everyone’s responsibility. Ensure that all levels of staff know how to keep your organization secure with additional training for specialized staff.

View the recording to hear Tracy’s insights on:

  • Common threats targeting employee benefit data
  • Layered approaches to cybersecurity
  • Trends to follow regarding new business email compromise
  • Cyber insurance coverage and limitations
  • Postbreach action steps.

Developed by International Foundation Information Center staff. This does not constitute legal advice. Please consult your plan professionals for legal advice.

Jenny Gartman, CEBS

Senior Content & Information Specialist at the International Foundation; Favorite Foundation Member Service: Toolkits Benefits Topics That Interest Her Most: Mental health and retirement security Personal Insight: Jenny likes spending time with family, knitting, reading memoirs and going for walks around the neighborhood.

Recommended Posts

Diversity and Inclusion Employee Benefits Flexible Work Options Insurance Paid Time Off (PTO) U.S. Work Life Balance

Single-Friendly Employee Benefits
Rebecca Plier
 

With a focus on recruiting and retaining talent, many businesses have expanded family-friendly policies and benefit offerings, such as flexible work hours, paid parental leave and subsidized child care. While these improvements are valued by many employees, organizations are still neglecting a […]

Continue Reading....