On April 14th, 2021, the Department of Labor (“DOL“) issued cybersecurity guidance to plan sponsor and fiduciaries, recordkeepers and other service providers and participants and beneficiaries of plans regulated by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). The guidance is presented in three separate parts: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices and Online Security Tips for Participants and Beneficiaries.
Over the past ten years, cybersecurity has become an area of critical importance to plan sponsors, plan administrators and plan participants. With plans holding trillions in assets as well as sensitive participant information, retirement accounts have been attractive targets for cyber-enabled fraud. Plan participants are known to check their retirement account balances less frequently than personal banking, credit card or other financial accounts. As a result, there can be a delay before attacks on retirement accounts are discovered, making tracing and recovery efforts exceptionally difficult. Plans also permit electronic access to funds and rely upon outside service providers, which provide additional access points for breach. There is a growing body of litigation involving participants who have suffered retirement plan losses due to cyberattacks. Bartnett v. Abbott Laboratories, No. 20-cv-02127 (ND Ill., 2020) (motion to dismiss participant suit against plan sponsor and administrator granted, but denied with respect to third party record-keeper); Leventhal v. The MandMarblestone Group LLC, No. 18-cv-2727 (ED PA, 2019) (motion to dismiss suit by plan sponsor and participant against third party administrator denied); and Berman v. Estee Lauder, No. 4:19-cv-06489 (ND CA, 2019) (participant suit against plan sponsor, committee and third party record-keeper settled).
With the increasing number of cyberattacks on plans and participant accounts as well as litigation, the Government Accountability Office earlier this year urged the DOL to issue clear guidance regarding the responsibilities of plan administrators to mitigate cybersecurity risks and set minimum expectations for protecting personal information in defined contribution retirement plans. The DOL responded with a set of diligence steps plan fiduciaries and administrators might take with respect to diligence of, and contracting with, plan service providers.
It appears the DOL’s three-part guidance is intended to apply to retirement plans, as it regularly refers to the security of retirement plans and retirement plan assets. This seems a reasonable distinction, as retirement plans are far more likely than other ERISA-covered plans to hold assets. However, in key places, the guidance refers more generally to “ERISA-covered plans,” and as a result—even if unintended—it can be broadly read to apply to not only retirement plans but also health and welfare plans.
Takeaway: Plan service providers and fiduciaries for health and welfare plans will need to consider reconciling the tips in the below guidance with other security guidance that already applies to such plans—for example, HIPAA’s privacy and security standards and various data security breach laws. While some of the guidance overlaps with HIPAA’s security standards, there are several distinctions. Moreover, plan fiduciaries will need to consider reconciling guidance that is simply ‘addressable’ under HIPAA’s security standards, but is now listed as a ‘best practice’ by the DOL (for example, encryption).
Plan Sponsor and Plan Fiduciary Guidance: Tips for Hiring a Service Provider with Strong Cybersecurity Practices
The DOL’s tips are intended to help fiduciaries meet their responsibilities under ERISA to prudently select and monitor their service providers:
- Ask about the service provider’s information security standards, practices and policies and audit results, and compare them to standards adopted by other financial institutions.
- Seek providers that engage a third-party auditor to review and validate its program. Include contract provisions that give the right to review audit results demonstrating compliance with the standard.
- Evaluate the provider’s track record in the industry, including public information regarding information security incidents, litigation and legal proceedings.
- Inquire about past security breaches and how the provider responded.
- Find out if the provider’s insurance policies would cover losses covered by cybersecurity and identity theft breaches. Require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance and/or fidelity bond/blanket crime coverage.
- Ensure that the contract requires ongoing compliance with cybersecurity and information security standards and scrutinize contract provisions that limit the service provider’s responsibility.
- Require the service provider to keep private information private and meet a strong standard of care to protect confidential information.
- Include in the contract how much time the provider has to provide notice of a security breach and require the provider to investigate and reasonably address the cause of the breach.
Takeaways: The DOL’s prescriptive approach establishes minimum standards plan fiduciaries should meet with respect to the hiring of service providers. Several of these points (in the form of questions) have already appeared in the context of DOL audits and investigations. Plan fiduciaries should immediately review their current hiring practices and service provider contracts and evaluate whether they meet the suggested standards. For example, provisions that limit the service provider’s liability and obligations in the event of a breach as well as participant guarantee and notice provisions should be carefully scrutinized. Note that these tips are intended to assist fiduciaries with their duty to monitor as well as select; prudent monitoring would seem to entail regular (e.g., annual) review of the third-party audits referenced above, periodic review of other information on the provider’s track record (security incidents, litigation, etc.), and regular RFPs to ensure sophistication of security methods relative to competitors and industry standards.
In Bartnett, plaintiff in an action against the administrator, among others, argued that the duty of prudence extends to the “safeguarding of plan assets and prevention of scams.” The court declined to assign such a duty to the plan administrator. This latest guidance by the DOL may assist future plaintiffs in establishing the existence of such a duty and the underlying activity needed to properly select and monitor a service provider’s cybersecurity policies, but by the same token plan fiduciaries who engage in those activities may have a stronger defense to such actions.
DOL Guidance on Cybersecurity Program Best Practices
The DOL outlines twelve cybersecurity “best practices” for plan service providers. Specifically, the DOL indicates that plan service providers should:
- Have a formal, well-documented cybersecurity program that is reviewed annually, approved by senior leadership, and reviewed by an independent auditor, and that includes policies and procedures covering a variety of categories.
- Conduct and document prudent, annual risk assessments.
- Have an annual independent third party audit the provider’s security controls.
- Have a cybersecurity program with clearly defined and assigned information security roles and responsibilities.
- Have strong access control procedures, including with respect to authentication and authorization.
- To the extent that assets or data are stored in a cloud or managed by a third-party service provider, ensure that they are subject to regular security reviews and independent security assessments.
- Conduct cybersecurity awareness training, updated to reflect recently identified risks, at least annually for all personnel.
- Have a secure system development life cycle (SDLC) program.
- Have a business resiliency program in place that effectively addresses key issues such as business continuity, disaster recovery, and incident response.
- Provide for encryption of sensitive data both when in transit and when at rest.
- Have strong technical security controls. Best practices include routine data backup and patch management, up-to-date hardware, software, firmware and antivirus software, and network segregation.
- Demonstrate they are responsive to cybersecurity incidents and data breaches.
Takeaways: Though these best practices are directed towards service providers, the DOL also places a clear burden on plan fiduciaries to monitor whether service providers have these practices in place, stating that the document has been provided so plan fiduciaries may make “prudent decisions on the service providers they should hire,” because “plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
The DOL’s guidance is generally consistent with the approach taken by other federal and state regulators including the Securities and Exchange Commission and Office of the Comptroller of the Currency. Some plan fiduciaries already have in place robust practices to understand and document their plan service providers’ security programs and protocols and have been coordinating with their internal information security and compliance teams. Those that do not should consider how to begin such a process. One fairly simple method for doing so is requiring that plan service providers complete an annual survey and attestation, and submit copies of certain documentation (e.g., security policies and procedures) demonstrating compliance with written policy requirements. In addition, all plan service providers should consider incorporating language into their service contracts on compliance with these best practices going forward.
Tips for Plan Participants
The DOL also offered tips for plan participants, who can take fairly simple actions to help reduce their own risk of retirement account fraud and loss. Participants can:
- Register, set up, and routinely monitor their account balances online.
- Use strong, unique passwords and update those passwords regularly.
- Use multi-factor authentication.
- Keep personal contact information current.
- Close or delete unused accounts.
- Avoid free wireless networks, which pose security risks.
- Understand and avoid ‘phishing attacks.’
- Use antivirus software that is updated regularly.
- Know how to report identity theft and cybersecurity incidents.
Takeaway: While plan fiduciaries and service providers must work to establish strong security protocols and monitoring to protect plan data and assets, plan participants can take small steps to help ensure their accounts are secure. For example, in cases of identity theft, participants will often remember to call their banking institutions and credit card companies but not their retirement plan service provider or may mistakenly believe that mailing paper checks is more secure than technology-enabled solutions. Therefore, plan sponsors and fiduciaries are well advised to provide participant education in this area; fostering participants’ understanding of the need to take steps to protect their personal information and retirement savings should have the happy by-product of reducing the risk of litigation against the plan sponsor and fiduciaries.