Increasing Cyber Regulations: The Latest from Labor and TSA

Virtually every aspect of modern life has a cyber component – a vital connection of data and server space. This technology brings essential efficiency and compatibility with modern operations. But it also brings an ever-increasing number of vulnerabilities and security considerations. While historically not at the forefront of the cybersecurity mindset, government regulators have started to take notice.

In the past two years, both the Department of Labor and the Transportation Security Administration have enacted new guidance and standards for entities operating within their jurisdictions. Labor has identified vulnerabilities affecting American workers’ retirement plans, including private pension plans and defined contribution plans. Meanwhile, TSA is focusing on maintaining the integrity of the country’s rail and airfare systems.

Compliance within new guidance keeps organizations from significant liabilities in the event of cyber breaches that impact peoples’ financial and physical safety. It’s important for organizations to be familiar with the specific requirements set by new regulations. Once these are reviewed, organizations need to perform the proper self assessments and set up thorough plans that will withstand scrutiny and protect from worst-case cyber scenarios.

Below are summaries of the latest regulatory rules and guidance from DOL and TSA respectively.

 

Department of Labor

There are more than 140 million participants in either private pension plans or defined contribution plans covering assets estimated at over $9.3 trillion. The guidance is aimed at plan sponsors, plan fiduciaries, record keepers and plan participants of employee benefit plans under the Employee Retirement Income Security Act of 1974 (ERISA). ERISA requires plan fiduciaries to engage in risk mitigation to protect these assets, which now includes protection from cyber crime.

In April of 2021, the U.S. Department of Labor released guidance in the form of:

With the guidance, DOL is signaling to plan fiduciaries a new spectrum of responsibilities in managing cyber risk and protecting plan beneficiaries. The Best Practices document above is of particular interest, since it essentially establishes a new floor for expectations of awareness around cybersecurity. These expectations signal a new reference point when determining who is responsible for losses to these plans in the event of a cyber incident, as determined by arbitrators, the court system, or DOL itself. Generally, DOL is becoming more prescriptive with this approach, laying out the elements and actions it considers part of a minimum cyber risk plan.

Among the elements laid out in the plan are documented, formal cybersecurity programs, annual risk assessments, audits by third parties, training for employees and relevant parties, and disaster recovery plans. Many plan fiduciaries are becoming more familiar with these processes as required by other financial regulatory agencies. However, keeping track of which agency requires which combination of practices at certain points of audit becomes a increasingly complex task. 

 

Transportation Security Administration

The Department of Homeland Security issued new Security Directives in late 2021 relating to the Transportation Security Administration (TSA)’s oversight of higher-risk freight railroads, passenger rail, and rail transit. These rules came after an emergency response to companies within TSA’s jurisdiction operating energy pipelines, following the ransomware attack on Colonial Pipeline.

Owners and operators within TSA’s jurisdiction are directed to identify cybersecurity coordinators, report cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours, develop and implement an incident response plan, and complete cybersecurity vulnerability assessments. TSA followed with additional guidance for aviation security programs that also require designation of cybersecurity coordinators and a requirement to report to CISA within 24 hours.

The regulations require transportation companies to take steps to protect their systems from cyber attacks, including the establishment and maintenance of a cybersecurity program, a process for identifying cyber risks and their scale of impact, controlling access to systems and data, a plan for response and recovery, and proper employee training.  These regulations are mandatory for all transportation companies that operate in the United States with non-compliant companies subject to civil penalties.

An increased focus on cybersecurity by the TSA also means more specific standards than previous guidance established. A proper cybersecurity plan is not only theoretical, but regularly assessed and properly tested in the context of an organization’s daily operations. Much of this documentation will be made available to the public and can come under scrutiny by cybersecurity experts. As part of the push for critical infrastructure resiliency, organizations in charge of delivering precious cargo across state lines will spend significant resources getting their response plans up to date.