On April 14, 2021, the United States Department of Labor (DOL) released three-part guidance on cybersecurity issues for employee benefit plans, marking its first major comment on the matter since its comprehensive but non-binding report. in late 2016. The DOL guidelines come amid an increase in high-profile lawsuits stemming from allegations by pension plan members that plan sponsors, responsible trustees and service providers have failed to adequately protect retirement accounts against cybersecurity threats. Given the heightened threat of cybersecurity attacks in general and the potential vulnerability of around $ 9.3 trillion in benefit plan assets (as estimated by DOL), ERISA plan sponsors, the responsible trustees and participants eagerly awaited official advice from DOL on this matter. This update provides a detailed review of the DOL’s three-part cybersecurity guidelines for ERISA plans as well as a summary of the practical implications for plan sponsors and responsible trustees.
DOL advice on cybersecurity
Advice to plan sponsors and responsible trustees on hiring service providers with strong cybersecurity practices. The DOL has developed a list of the following six tips that plan sponsors and responsible trustees should follow to meet their obligations under ERISA’s requirements to prudently select and monitor ERISA plan service providers:
- Request the service provider’s security practices and protocols and compare these systems to industry standards adopted by other financial institutions.
- Learn about how the service provider validates their security controls, including obtaining a contractual right to review the results of the security system audit.
- Evaluate the service provider’s information security track record, including reviewing publicly available information on security incidents and related disputes.
- Confirm any recent security breach issues and associated responses.
- Confirm whether the service provider has sufficient cybersecurity and identity theft insurance coverage to meet the needs of the plan and its members.
- Incorporate cybersecurity compliance requirements into service agreements as well as other contractual requirements, such as (a) third party audit requirements; (b) the limits on the use and disclosure of confidential information; (c) early notification of cybersecurity breaches; (d) records retention policies consistent with applicable law; and (e) adequate insurance coverage for cybersecurity, identity theft and breach (whether as a stand-alone policy or in addition to the service provider’s existing liability insurance policies).
Cyber Security Program Best Practices for Registrars and Service Providers. The DOL further provided a detailed description of twelve best practices that should be followed by plan registrars and other service providers responsible for plan-related IT systems and data, as well as plan trustees in taking action. careful decisions when selecting service providers. DOL’s cybersecurity best practice recommendations for plan registrars and affected service providers include (in short):
- Have a well-documented cybersecurity program capable of identifying, assessing, protecting against, recovering and appropriately disclosing internal and external cybersecurity threats to the confidentiality, integrity or availability of non-public information stored. The cybersecurity program should implement formal policies designed to limit and counter cybersecurity threats (for example, access management, incident response, and security control policies and procedures).
- Conduct an annual risk assessment designed to identify information security threats and lead to revisions of cybersecurity controls as needed to address existing and emerging threats.
- Engage an independent third-party auditor to assess security controls and document the remediation of any weaknesses at least annually.
- Identify an information security officer with sufficient expertise and the necessary credentials to establish and maintain the cybersecurity program.
- Implement strict access control procedures that limit access to information systems and sensitive data of plans and participants through authorization procedures and identity authentication checks.
- Engage in regular security reviews of the information systems of cloud storage providers and other third party data storage providers, including using independent third party security assessments of such systems.
- Organize annual cybersecurity awareness trainings for all staff, with particular emphasis on the risks identified in the most recent risk assessment.
- Implement a secure system development lifecycle program designed to assess the security of all applications developed and used internally through periodic vulnerability and penetration testing for all customer-facing applications (and data which are kept there).
- Develop a business resilience program that effectively addresses business continuity, disaster recovery, and incident response programming in every circumstance to ensure the protection and continued availability of people, assets and data in the event of a cybersecurity event or disaster.
- Encrypt all non-public information about plans and participants at all times, including when stored and in transit.
- Implement strong technical controls for hardware, software or firmware components of information systems (for example, regular updates of system components).
- Respond appropriately to cybersecurity incidents or breaches in order to protect the plan and its participants, including notifying law enforcement and any relevant insurers, investigating the incident, informing the plans and affected participants of the measures to be taken to prevent or reduce injury, and in resolving the issues that gave rise to the incident or violation.
Online safety tips for pension plan members. The DOL has also published tips providing advice to plan members to reduce the risk of fraud and loss on their retirement accounts. These tips include many now standard methods to protect personal assets and information online, such as regular monitoring of online accounts, use of strong and unique passwords, use of multi-factor authentication when it’s available, updating personal contact information, closing unused accounts, distrust of free Wi-Fi. -Fi and phishing attacks, using updated antivirus software and knowing how to report identity theft and cybersecurity incidents.
Practical implications for the promoters of the ERISA plan and responsible trustees
DOL’s advice on cybersecurity issues for ERISA plans has practical implications for plan sponsors and responsible trustees, including the following highlights:
- Although the DOL describes its guidelines as “advice” and “best practice,” responsible trustees are subject to the prudent selection and oversight standards of ERISA with respect to the engagement and retention of archivists and others. service providers. Responsible trustees should therefore consider the advice of the DOL for supplier selection in their compliance efforts.
- DOL guidelines likely indicate increased attention to cybersecurity issues in DOL enforcement actions, so responsible trustees should assess DOL advice to prepare for a potential review or investigation. DOL guidelines can also trigger litigation and move the needle on the criteria for determining whether responsible trustees have acted prudently.
- While the DOL cybersecurity insurance guidelines relate to service provider coverage, plan sponsors and responsible trustees should confirm whether existing fiduciary liability insurance will adequately cover cybersecurity issues. Otherwise, plan sponsors and responsible trustees should discuss with insurers the possibility of adding additional coverage to deal with cybersecurity losses.
- Plan sponsors and responsible trustees should consider addressing both DOL best practices for suppliers and supplier selection guidance in supplier procurement processes, including as part of internal training for staff. involved in the supplier selection process.
- Plan sponsors and trustees responsible for plans of all sizes should consider the DOL’s Best Practices for Providers as a checklist to review their own cybersecurity readiness with respect to internal plan administration. The lack of security controls at the plan sponsor level can lead to losses that probably cannot be avoided at the provider level. Sponsors and responsible trustees may need to consider engaging third party cybersecurity consultants to promote the readiness and security of plan members’ assets and information. With the increasing regularity of cybersecurity incidents, plan sponsors and responsible trustees may need to act quickly to complete this review and remedy any issues identified in order to reduce the risk of losses for ERISA plan members.
- The DOL guidelines largely mirror the guidelines issued by the US Department of Health and Human Services with respect to security checks under the HIPAA security rule and the requirements that flow from it. Plan sponsors and responsible trustees conducting a review of their cybersecurity controls may be able to take advantage of the policies, procedures and controls applicable to group health plans governed by HIPAA or, if these controls are insufficient, initiate in a uniform remediation program to improve cybersecurity controls. for all ERISA plans.