In April, we published an article on the US Department of Labor (DOL) Employee Benefits Security Administration (EBSA) that issues cybersecurity guidelines for employee pension plans. That is to say on April 14, 2021. Shortly thereafter, the DOL updated its audit investigations to include probing questions for plan trustees about their compliance with agency guidelines “from the press”.
So what do these surveys look like?
In short, the DOL asks plan sponsors to produce:
all documents relating to any cybersecurity or information security program that apply to Plan data, whether these programs are applied by the Plan sponsor or by any Plan service provider
For plan trustees who are new to cybersecurity and have not received a DOL audit in recent months, the documents or materials expected by the DOL may not be clear. The DOL expands its general survey with a laundry list of items. Here are some examples of these more specific requests:
The above list is not complete, but it makes it clear that the DOL seeks information about what plan trustees do to protect their own information and systems to ensure the privacy and security, not just that of their own. service providers. Some plan trustees might wonder what policies, procedures or guidelines should look like to protect plan data. There are many frameworks to consider when adopting reasonable safeguards. Examples include guidelines published by the National Institute of Standards and Technology, the New York SHIELD Act, Massachusetts data security regulations, privacy and security standards under HIPAA, etc.
In addition to the policies, procedures and guidelines summarized above, the DOL also requests in its audit request copies of other documents, some of which are listed below.
- “All documents and communications relating to past cybersecurity incidents. “
So obviously the DOL would like to find out if the plan had ever had a cybersecurity incident. It is not clear whether this request refers only to “security breaches” or similar terms as defined in the breach notification laws of States requiring notification, or to mere “incidents”. that do not meet the level of a reportable violation.
- “All documents and communications describing security reviews and independent security assessments of plan assets or data stored in a cloud or managed by service providers. “
Here, the DOL distinguishes between plan “assets” and plan “data”, looking for reviews and safety ratings relating to both. Recent litigation has called into question whether plan data can be considered “plan asset”. In one of the more recent cases, Harmon c. Shell Oil Co., 2021 WL 1232694 (SD Tex. March 30, 2021), the United States District Court for the Southern District of Texas rejected the argument that plan assets include plan data.
- “All documents describing technical security controls, including firewalls, anti-virus software and data backup. “
An important note here is that it may not be enough to say “we are doing this” or “we have antivirus and firewalls in place to protect our information systems”. The DOL is looking for documents describing these guarantees and controls.
“All documents and communications from service providers relating to their cybersecurity capabilities and procedures. “
“All documents and communications from service providers regarding policies and procedures for the collection, storage, archiving, deletion, anonymization, storage and sharing of data. “
“All documents and communications describing permitted uses of the data by the plan sponsor or any plan service provider, including, but not limited to, all uses of the data for direct or indirect cross-selling purposes. or marketing of products and services. “
The DOL would like to see how plan trustees communicate with their service providers to assess the cybersecurity risk of service providers, as well as documents and other documents from service providers regarding the processing of plan data. It is important to note that the DOL does not only search for information related to cybersecurity. The agency apparently wants to know how service providers are allowed to use plan data. Plan trustees will want to carefully consider their current practices, including their communications, when selecting and working with service providers.
No plan trustee wants to undergo a DOL audit of their pension plans, or any other audit for that matter. But cybersecurity is clearly a new and important area of interest for the DOL and the plan’s trustees must be prepared to respond to it.
Jackson Lewis PC © 2021Revue nationale de droit, volume XI, number 207