Cybersecurity is by no means a new issue for employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Still, until recently, the U.S. Department of Labor (“DOL”) had not directly weighed in on what ERISA plans and their services providers should be doing to adequately safeguard sensitive participant information retained by ERISA plans. That finally changed on April 14, 2021 when the DOL issued guidance providing the DOL’s “tips” and “best practices” relating to cybersecurity in the form of:
In short, through its new guidance, the DOL is making it clear that fiduciaries cannot reasonably fulfill their obligations to plan participants without taking an active role to ensure that not only are the plan’s cybersecurity practices aligned with the DOL’s best practices, but also that such fiduciaries are actively monitoring and evaluating a service provider’s cybersecurity policies and procedures.
Below, we have set out answers to some of the overarching questions facing the who, the what, the when, and the how of DOL’s new guidance.
Cybersecurity Program Best Practices
-
To whom does this guidance apply?
This guidance applies to all plans that are subject to ERISA. Specifically, the DOL advises that this guidance is intended for:
-
recordkeepers or other service providers responsible for plan-related IT systems and data; and
-
plan fiduciaries to ensure they are able to make prudent decisions on the service providers they hire on behalf of the plan.
-
-
What does the guidance address/require?
In the guidance, the DOL lays out twelve “best practices” for all ERISA plan service providers. These best practices provide that a service provider should:
-
Have a formal, well documented cybersecurity program;
-
Conduct prudent annual risk assessments;
-
Have a reliable annual third party audit of security controls;
-
Clearly define and assign information security roles and responsibilities;
-
Have strong access control procedures;
-
Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments;
-
Conduct annual cybersecurity awareness training;
-
Implement and manage a secure system development life cycle (“SDLC”) program;
-
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
-
Encrypt sensitive data, both for data that is stored and in transit;
-
Implement strong technical controls in accordance with best security practices; and
-
Appropriately respond to any past cybersecurity incidents.
The majority of these concepts are not new or groundbreaking. Many are already requirements (or are similar to requirements) applicable to group health plans that are subject to the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). However, because many plans are not subject to HIPAA’s privacy provisions, in putting out this guidance, the DOL is putting a renewed emphasis on protecting all plan information, not just protected health information. While the requirements set forth above are applicable to service providers, a fiduciary should confirm that a plan’s service provider meets the requirements set forth above.
-
-
When and how should those entities/individuals apply this guidance?
Third-party ERISA plan service providers should immediately begin assessing their cybersecurity policies and procedures to ensure that they align with the DOL’s best practices. To the extent changes need to be made, these changes should be implemented as soon as practicable. Service providers should also establish on-going practices like annual cybersecurity training for its employees to ensure all employees are trained (and retrained) on cybersecurity best practices and are vigilantly keeping up-to-date on the ever-changing world of privacy and data security.
Fiduciaries that are making decisions about a plan’s service providers should also begin their analysis of the above criteria as soon as possible. To the extent that a plan currently incorporates a cybersecurity analysis in its decision making process, the plan’s fiduciaries should review such analysis to ensure that it, at a minimum, inquires about the information set forth in the DOL guidance.
Tips For Hiring A Service Provider With Strong Cybersecurity Practices
-
To whom does this guidance apply?
This guidance specifically mentions 401(k) and other types of pension plans (which would include employee stock ownership plans (ESOPs), the guidance also references fiduciary obligations applicable to all plans that are governed by ERISA. As a result, fiduciaries of health and welfare benefit plans subject to ERISA would be well served by following this guidance too.
-
What does the guidance address/require?
As its name suggests, this guidance is intended to ensure that fiduciaries properly vet a plan’s service providers to ensure that those entities have robust cybersecurity policies. To do this, the DOL is essentially requiring that fiduciaries do one thing: ask questions. Rather than passively accepting a service providers’ cybersecurity policies and procedures, the DOL’s guidance states that fiduciaries have an obligation to actively inquire about (and if necessary, request changes to) their service providers’ cybersecurity policies. The guidance is clear that it is no longer acceptable to merely accept what is presented by a service provider. Specifically, the DOL recommends that fiduciaries do the following:
-
Ask about a service provider’s security standards, practices and policies and audit results.
-
Ask a service provider how it validates its practices and what levels of security standards it has met and implemented.
-
Ask whether a service provider has experienced past security breaches, and what happened/how the service provider responded.
-
Ask about (or otherwise evaluate) a service provider’s track record in the industry.
-
Ask about insurance policies that would cover losses caused by cybersecurity and identify theft breaches.
-
Ask about whether a service provider requires ongoing compliance with cybersecurity and information security standards.
The guidance also includes a number of suggestions relating to the negotiation of service agreements with a plan’s service providers. In particular, the DOL suggests focusing on contract provisions related to the use and sharing of information, notifications of any cybersecurity breaches, record retention and destruction, and insurance. It is therefore imperative that fiduciaries carefully review this guidance (as well as their current administrative services agreements) to ensure that these agreements include the DOL’s recommended language. Fiduciaries should also review their request for proposal (“RFP”) process and, if not already doing so, the fiduciaries may want to consider engaging counsel or another advisor in the RFP process to assist in the negotiation and review of a proposed engagement for plan services.
-
-
When and how should those entities/individuals apply this guidance?
Technically, the answer is always. That said, the best time for a fiduciary to exercise leverage and to truly evaluate and compare a service providers’ cybersecurity policies is before selecting—and at the very least before entering into a contract with—a service provider. In other words, fiduciaries should be asking for this information at the RFP and contract negotiation stage of a relationship with a service provider. By being proactive at this early stage, not only is the fiduciary in a position of power (i.e., the fiduciary is more likely to have the leverage necessary to effectuate change in a service provider’s policies), but the fiduciary is also in a position to review and compare multiple service providers before making a final selection.
If an ERISA plan already has a contract in place with a service provider, this does not mean that the fiduciaries of such plan should sit idly by. Fiduciaries should begin analyzing such contracts and should start asking the plan’s services providers the questions outlined above. This will ensure that fiduciaries are adequately informed of a service provider’s policies. This will also help determine whether a fiduciary must take action with respect to a plan’s service providers prior to the renewal period for the plan’s service agreements.
Online Security Tips
-
To whom does this guidance apply?
This guidance applies to individuals participating in ERISA retirement plans. But, while the guidance expressly calls out participants in ERISA retirement plans, these same tips can apply to any account-based plan, including health and welfare plans.
-
What does the guidance address/require?
The guidance appears to acknowledge that no matter what an ERISA plan or its service providers do to protect sensitive information, participants themselves play a significant role in ensuring that their information is protected. As a result, rather than simply laying out safeguards for plans and service providers, this guidance also provides tips for individual participants.
The guidance itself emphasizes the importance of strong passwords, multi-factor authentication and the need for participants to set up and monitor their own accounts (including closing or deleting unused accounts). It also warns individuals to be wary of free Wi-Fi and phishing attacks and encourages participants to install and utilize antivirus software on devices that are accessing plan information.
-
When and how should those entities/individuals apply this guidance?
These tips really apply to all individuals in almost all situations (even outside of the world of ERISA plans). Therefore, they should be implemented by everyone immediately (and always).
To help facilitate the use of these tips by plan participants, plan sponsors and administrators may want to consider how they can best communicate this information to plan participants. Plan sponsors may wish to disseminate this information through a formal training on cybersecurity best practices or a plan communication explaining what plan participants can do to help secure their own information. Plan sponsors may even wish to distribute the DOL communication directly to participants and keep a record of when the information was distributed to the participants. While these steps are not necessarily required by the DOL, they may go a long way to help ensure plan participants are also actively engaged in securing their own information.
Takeaways
While the new guidance is set forth as suggestions rather than requirements, it is possible that the DOL may take the position that following or closely adhering to these tips and best practices is evidence of a fiduciary acting in a prudent manner. Therefore, it is best for all plan fiduciaries to assess a plan’s current cybersecurity practices and revise or update such practices in light of this new guidance.