In an effort to help protect an estimated $9.3T in retirement plan assets, the U.S. Department of Labor (“DOL”) issued its first ever cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants. The new guidance is intended to complement the DOL’s May 2020 regulations on electronic records and disclosures to plan participants and beneficiaries. While the 2020 e-delivery regulations allowed retirement plans to rely on communications of retirement plan updates, benefit statements and notices to participants and beneficiaries by electronic delivery, there was a recognition that such delivery created an increased risk of cybersecurity attacks. As a result, the DOL provided three sets of recommendations for the different parties involved in sharing sensitive retirement plan information:
- Tips for Hiring a Service Provider;
- Cybersecurity Program Best Practices; and
- Online Security Tips.
As sponsors of 401(k) and other types of pension plans, employers often rely on third-party vendors to operate and administer their retirement plans, which may entail maintaining plan records, protecting participant data and keeping plan accounts secure. Tips for Hiring a Service Provider helps business owners and fiduciaries meet their obligations under ERISA and prudently select service providers with strong cybersecurity practices and monitor their activities. Business owners should ensure the service provider’s information security standards, practices and policies are adequate and negotiate for the right to review audit results demonstrating compliance with a recognized standard for information security.
The DOL emphasized that contractual obligations are paramount in enhancing cybersecurity. As cybercriminals often exploit third-party vendor relationships to gain unauthorized access to retirement plan assets, it is imperative that contractual safeguards are in place to mitigate against such threats and ensure effective incident response. The DOL specifically recommends negotiating the following terms in vendor contracts to enhance cybersecurity protection for retirement plans and participants:
- Information Security Reporting (obtain annual, third-party audit to determine compliance with information security policies and procedures)
- Clear Provisions on the Use and Sharing of Information and Confidentiality (obligation to keep private information secure and prevent unauthorized access, loss, disclosure, modification, or misuse)
- Notification of Cybersecurity Breaches (must notify business owners of any cyber incident or data breach, cooperate in the investigation, and remediate the cause of the breach)
- Compliance with Records Retention and Destruction, Privacy and Information Security Laws (meet all applicable federal, state and local laws, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality or security of participant’s personal information)
- Insurance (require insurance coverage, including cyber-liability and privacy breach insurance)
The Cybersecurity Program Best Practices provides a detailed overview of essential components for plan fiduciaries and recordkeepers to consider when developing and maintaining a comprehensive cybersecurity program. In addition to technical safeguards, the DOL stresses the importance of conducting annual risk assessments, developing business continuity and incident response plans and continuously training the entire workforce to enhance cybersecurity awareness and competency.
Additionally, the Online Security Tips offers plan participants and beneficiaries who access their retirement accounts online foundational rules to reduce the risk of fraud and loss. The tips include implementing multi-factor authentication, using strong and unique passwords, managing your online accounts by monitoring for fraudulent activity and closing out unused accounts and being vigilant of phishing attacks.
The newly issued DOL guidance emphasizes the importance of strengthening cybersecurity for retirement plans and reflects the DOL’s view that ERISA plan fiduciaries have an obligation to protect plan assets from cyber threats. However, these issues are not new. The Advisory Council on Employee Welfare and Pension Benefit Plans (the ERISA Advisory Council) has been tackling the issue of privacy and cybersecurity issues affecting employee benefit plans since 2011. More recently, the Government Accountability Office (“GAO”) published a report that found plan sponsors and service providers often exchange personally identifiable information (PII), plan asset data, including names, social security numbers, dates of birth, addresses, passwords and retirement and bank account numbers. The GAO found that sharing this information could lead to serious cybersecurity risk. As a result, the GAO recommended that the DOL: (1) formally state whether it is a retirement plan fiduciary’s responsibility to mitigate cybersecurity risks in their role of administering such plans under ERISA; and (2) issue guidance with minimum expectations for mitigating cybersecurity risks and outline the specific requirements that should be taken by all entities involved in administering employer-sponsored retirement plans.
The DOL’s Response
In the new guidance, the DOL cited existing Employee Retirement Income Security Act (“ERISA”) regulations and that plan fiduciaries, under their current prescribed duties, must take appropriate precautions to mitigate risks of malfeasance to their plans, whether cyber or otherwise. The DOL also established minimum expectations for addressing cybersecurity risks and to help: (1) increase awareness among plan fiduciaries of DOL’s position on cybersecurity risk mitigation; and (2) ensure that fiduciaries satisfy their ERISA obligations when selecting and monitoring service providers.
Although the DOL did not specifically extend the current fiduciary responsibilities under ERISA to prevent cyberattacks and fraud, they did place fiduciaries on notice regarding the expectations to mitigate these cybersecurity risks. Whether additional DOL guidance is forthcoming remains uncertain. Nonetheless, this newly issued guidance may signal an increased focus on cybersecurity within the DOL and encourage employers and other stakeholders to prioritize cybersecurity efforts within their organizations.
The new DOL cybersecurity guidance serves as a “safe harbor” for fiduciaries to demonstrate compliance with their obligations under ERISA. As a best practice, we recommend plan fiduciaries take steps now to: (i) review their retirement plan data and corresponding administrative protections with their technology experts and (ii) review any current and new vendor contracts with service providers to ensure the DOL’s recommendations are incorporated and proper cyber protections are implemented. Additionally, cyber-insurance policies should be reviewed on an annual basis to ensure the appropriate provisions and coverage levels are consistent with market practices.