By Jeremiah D. Wood
For the first time, the Department of Labor (DOL) has issued guidance addressing cybersecurity for plan sponsors, plan fiduciaries, recordkeepers, and plan participants of ERISA covered plans. The guidance was released on April 14, 2021, and was split into the following three separate parts:
- Tips for Plan Sponsors and Plan Fiduciaries on Hiring a Service Provider with Strong Cybersecurity Practices;
- Cybersecurity Program Best Practices for Plan Fiduciaries and Recordkeepers that are responsible for maintaining plan-related IT systems; and
- Online Security Tips for plan participants and beneficiaries.
The DOL released this guidance to help fiduciaries mitigate the risk associated with the participant and asset data of their plans from internal and external cybersecurity threats. The guidance comes almost a year after the DOL released its new electronic disclosure method for retirement plans. (If you would like to learn more about this electronic disclosure method, read our article here.) The cybersecurity guidance complements the electronic disclosure method because the new electronic disclosure method is subject to cybersecurity risk, whereas paper handouts were not.
Plan sponsors, fiduciaries, recordkeepers, and participants should all take time to review their own manner of protecting their plan data. Additionally, this is a good time to review existing contracts with service providers to ensure the cybersecurity guidance is appropriately incorporated. The DOL’s online security tips for plan participants and beneficiaries is a two-page document that plan fiduciaries should consider providing to plan participants and beneficiaries.
The DOL’s tips for plan sponsors and plan fiduciaries on hiring a service provider with strong cybersecurity practices are as follows:
- Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that provide the right to review audit results demonstrating compliance with the standard.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats and breaches caused by external threats).
When contracting with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants, such as:
- Information security reporting.
- Clear provisions on the use and sharing of information and confidentiality.
- Notification of cybersecurity breaches.
- Compliance with records retention and destruction, privacy and information security laws.
- Insurance requirements and any application limitations on the insurance policies.
- The DOL’s cybersecurity best practices for plan fiduciaries, recordkeepers, and other service providers responsible for plan-related IT systems and data are:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
The DOL’s online security tips for plan participants and beneficiaries, who check their retirement accounts online, are as follows:
- Register, set up and routinely monitor their online account.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep personal contact information current.
- Close or delete unused accounts.
- Be wary of free Wi-Fi.
- Beware of phishing attacks.
- Use antivirus software and keep apps and software current.
- Know how to report identity theft and cybersecurity incidents.
Even though the DOL guidance is merely “tips” and “best practices” (i.e., there is no enforcement mentioned), it does provide plan sponsors and fiduciaries the DOL’s views on cybersecurity for ERISA covered plans, which covers retirement plans and health and welfare plans. As mentioned above, with this guidance, it is important for plan sponsors and fiduciaries to review their internal practices on plan matters that may be impacted by cybersecurity threats as well as review contracts with service providers to ensure such providers’ cybersecurity is adequate. If you would like to discuss the new DOL guidance, please reach out to your Friday, Eldredge & Clark, LLP Employee Benefits Attorney.
Jeremiah D. Wood practices in the firm’s Employee Benefits and Executive Compensation Practice Group. His practice includes experience in the design, implementation, administration and termination of tax-qualified retirement plans (including traditional pension plans, cash balance plans, profit-sharing plans, 401(k) plans, and ESOPs), 403(b) plans, nonqualified deferred compensation plans (including 457(b) and 457(f) plans and deferral compensation arrangements for executives) and health and welfare plans.
Disclaimer: The information included here is provided for general informational purposes only and should not be a substitute for legal advice nor is it intended to be a substitute for legal counsel. For more information or if you have further questions, please contact one of our Attorneys.