Implementing the 3-2-1 Backup Rule for Your Plan

As we noted in our previous post, cyber insurance companies have instituted new requirements in order to qualify for Cyber Insurance coverage:  (1) implementation of multifactor authentication; (2) backups in place that are updated regularly to a secondary location; and (3) the ability to have all critical systems back up and running within 10 day of an attack.  We previously explained the new requirements for multifactor authentication (MFA).  This post will focus on a practical way to create a resilient backup strategy. While MFA is an offensive tactic that safeguards data from hackers with more complex security measures, an efficient backup plan is your first line of defense should they gain access to your data.

Implementing a full backup and restore system is mission-critical to your cyber disaster continuity plan. Therefore, we recommend an industry best practice data protection strategy known as the 3-2-1 Backup Rule.

The 3-2-1 Backup Rule

The rules of the 3-2-1 backup strategy are straightforward:

• Consistently maintain “three” or more distinctive copies of all system data.
• Retain “two” copies of your backup data on different devices and separate storage media.
• Store “one” backup copy offsite.

Let’s add more context to those points.

1.    Maintain three or more distinctive copies of all system data

A single copy of your data is not safe. It’s not only hackers that can cause you to worry. Accidents and unforeseen events happen. Lightning strikes, fires, floods, natural disasters, angry employees, vandals, and random occurrences can destroy data. If you only have one backup stored in the exact location as your working copy and using the same media type, your data is highly vulnerable.

Maintaining three copies – a working copy with two backups – of your data is vital to your business continuity plans. The backups must each be available for immediate use if your other copies fail, are compromised, destroyed, or are stolen. Using different storage methods and media types for your backups lowers the possibility of similar model drives simultaneously crashing because tech has a way of wreaking havoc that way. Storing the third backup in a different physical location than your working copy and your second copy is crucial to the strategy.

2.   Retain two copies of backup data on different devices and separate storage media.

Prudent plans should maintain two backup copies using different media sources, such as an external hard drive backing up for your first copy and using optical disks, digital tapes, an external hard drive, a USB drive, or other removable media for backup copies number two and three. An excellent option is to employ network-attached storage (NAS), a file-level storage architecture designed to allow networked devices access to stored data. NAS integrates well with cloud computing.

3.   Store one backup copy offsite.

The final backup strategy is to retain one copy offsite. Before ubiquitous cloud computing and storage availability, this rule required a trusted employee to keep a backup locked in a car trunk or something similar in order to get the backup in a separate location physically. Having a branch office maintain the third copy is an option for companies with multiple business facilities. Storing data in the cloud is a viable solution. Versioning copies of backups is an advanced strategy that provides a sound data backup. You will encounter versioning in the process of implementing your 3-2-1 backup strategy.

The Euclid Perspective

The Department of Labor (DOL) has started an audit initiative focusing on retirement plan cybersecurity practices. Morgan Lewis reports the initial DOL audit requests TPAs and plan fiduciaries to provide it with all cybersecurity and information security program policies, procedures, and guidelines related to the plan, including vendors.

Since last year, Euclid policyholders have seen similar broad demands from DOL audit requests. Compliance requires plan fiduciaries to provide detailed documentation of their specific cybersecurity actions. The list includes multifactor authentication, backup strategies, software patching protocols, robust anti-virus software, and employee education.

To no surprise, cyber carriers now require the same core cybersecurity strategies. From now on, employee benefit plans seeking cyber insurance coverage must be able to answer three new application questions to secure new or renewal cyber coverage:

1. Have you implemented multifactor authentication (often referred to as MFA or 2FA) set up for Microsoft 365 and any other service where a client houses data?
2. Do you have backups in place that are updated regularly to a secondary location?
3. Do you have the ability to have all critical systems back up and running within ten days of an attack?

If you or your third-party administrator lacks any of these three cybersecurity strategies, your plan will have trouble securing adequate cyber coverage.