On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.

Accordingly, the DOL’s guidance (while long overdue) is welcome advice stressing just how critical it is for fiduciaries to focus on cybersecurity issues in selecting, contracting and monitoring the performance of record keepers and other plan service provides to protect plan participants. The guidance also specifically emphasizes how important it is for fiduciaries to address cybersecurity when performing due diligence in negotiating service provider agreements and in ongoing monitoring of service provider compliance with cybersecurity policies and procedures to ensure that any breaches are promptly reported, investigated and addressed.

The three pieces of guidance are summarized below:

  1. Tips for Hiring Service Providers.

To assist business owners and plan sponsors in meeting their responsibilities under ERISA to prudently select and monitor service providers, the DOL provides the following tips (summarized):

  • Ask about the service provider’s information security standards, practices and policies and audit results, and compare them to the industry standards adopted by other financial institutions.
  • Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to vendor’s service.
  • Ask whether the service provider has experienced past security breaches, what happened and how the service provider responded.
  • Determine if the service provider has any insurance policies that would cover losses caused by cybersecurity and identify theft breaches.
  • Ensure that service contracts require ongoing compliance with cybersecurity and information security standards and beware of provisions that limit a provider’s responsibility for IT security breaches. Particular attention should be paid to contract terms relating to:
    • Sharing of information and confidentiality
    • Cybersecurity breach notification
    • Record retention/destruction, privacy and information security and
    • Insurance

2. Cybersecurity Program Best Practices

The DOL guidance recites that, because ERISA covered plans often hold millions of dollars in plan assets and maintain personal data on plan participants, responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. Accordingly, the agency recommends the following best practices for use by record keepers, other service providers responsible for plan related IT systems and data and for plan fiduciaries making prudent decisions on the service providers they hire. Plan service providers should maintain, adopt or conduct the following (summarized):

  • Formal well-documented cybersecurity program
  • Prudent annual risk assessment
  • Reliable annual third party audit of security controls
  • Clearly defined and assigned information security roles and responsibilities
  • Strong access control procedures
  • Assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessment
  • Cybersecurity awareness training conducted at least annually for all personnel and updated to reflect risks identified by the most recent risk assessment
  • Secure system development life cycle program
  • Business resiliency program which effectively addresses business continuity disaster recovery and incident response
  • Encryption of sensitive data stored and in transit
  • Strong technical controls implementing best security practices
  • Responsiveness to cybersecurity incidents or breaches

3. On-line Security Tips for Participants.

Participants are encourage to reduce the risk of fraud and loss to their retirement accounts by following these basic rules (summarized):

  • Register, set up and routinely monitor your online accounts
  • Use strong and unique passwords
  • Use multi-factor authentication
  • Keep personal contact information current
  • Close or delete unused accounts
  • Be wary of free Wi-Fi
  • Beware of phishing attacks
  • Use antivirus software and keep app and software current
  • Know how to report identity theft and cybersecurity incidents

Observations: While the guidance is welcome advice, many questions remain unanswered regarding the application of ERISA to data security. For example:

  • Is data maintained by a retirement plan a plan asset?
  • Is the employer (as plan sponsor) responsible for the data breach, or is the third party administrator service provider responsible?
  • Does ERISA, a federal law, preempt state cybersecurity (data privacy) laws?
  • Doe the DOL expect plan sponsors for ERISA fiduciaries to communicate on-line security tips to plan participants and beneficiaries, and if so, how often?

In light of this recent guidance, plan sponsors and ERISA fiduciaries should begin reviewing their practices, procedures and cybersecurity protocols, as well as those of their service providers to ensure they are meeting the best practices set forth in this recently published DOL guidance.