The ERISA Advisory Council (Council) has been tackling the issue of cybersecurity as it relates to benefit plans since 2011, and just this last summer, the Council held two hearings where it heard testimony from various experts and interested parties on the issue. Following these hearings, the Council issued a report that remained unpublished until this month, when it was released by the Department of Labor (DOL). The report, titled “Cybersecurity Considerations for Benefit Plans” (Report), states that the Council focused on providing information to “plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans.” The Council provides two recommendations in the Report:
- Make the Report and its appendices available via the DOL’s website as soon as administratively feasible to provide plan sponsors, fiduciaries, and service providers with information on developing and maintaining robust cyber-risk management programs for benefit plans.
- Provide information to the employee benefit plan community of plan sponsors, fiduciaries, and service providers to educate them on cybersecurity risks and potential approaches for managing these risks.
While a majority of the Report discusses the challenges of cybersecurity, current legal framework, and other background information, the Report also includes an appendix intended to serve as a resource for plan sponsors and service providers, so that they can establish and customize appropriate strategies on cybersecurity for benefit plans. The appendix includes
- information to help plan sponsors and fiduciaries better understand how plan data is handled,
- components of a successful cybersecurity framework,
- tips for establishing protocols and cybersecurity risk management strategies, and
- a list of questions to ask before contracting with service providers.
However, the Report does not discuss two key issues that impact benefit plans: whether cybersecurity is a fiduciary responsibility and whether ERISA preempts state cybersecurity laws. We expect further developments in the area of cybersecurity, as it appears to be a priority for US President Donald Trump’s administration. We will provide additional information on this topic as it becomes available.