Matthew Arey, JD*, Retirement Advisor, director of fiduciary services
On April 14, 2021, the Department of Labor (“DOL”) Employee Benefits Security Administration issued its first cybersecurity guidance to retirement plan sponsors, plan fiduciaries, record keepers, service providers, and participants.
With $9.3 trillion in employer sponsored retirement plans1, there has been increased recognition that electronic delivery of information has heightened cybersecurity risks to plan participants. Under the Electronic Final Disclosure Rule, published on May 27, 2020, ERISA’s fiduciary duties require measures reasonably calculated to protect security and privacy of personal information. In other words, the new cybersecurity guidance is intended to complement existing regulations on electronic records and disclosures to plan participants and beneficiaries.
However, other governmental agencies have also been urging the DOL to issue cybersecurity guidance. So, on February 21, 2021, the U.S. Government Accountability Office (“GAO”) issued a report urging the DOL to issue a statement that “cybersecurity for ERISA covered plans is a plan fiduciary responsibility.”
The DOL responded, however, it did not state that plan fiduciaries are responsible for fail-safe cybersecurity. Instead, it issued “tips” and “best practices” to mitigate cybersecurity risk. The guidance states that “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks”. The tips provided are meant to “help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers.”
To summarize, the DOL’s guidance is contained in three documents each targeted to a different audience (click the title to view the full document):
Tips for Hiring a Service Provider – Helps plan sponsors and plan fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Ask about the service provider’s information security standards, practices and policies, and audit results. Compare them to the industry standards adopted by other financial
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- Evaluate the service provider’s track record in the industry. This includes public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
- Ask whether the service provider has experienced past security breaches. Include what happened, and how the service provider responded.
- Meanwhile, find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches. This includes breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account.
- When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards. Beware of contract provisions that limit the service provider’s responsibility for IT security breaches. In addition, you can also include terms in the contract that would enhance cybersecurity protection for the plan and its participants. For instance, this includes information security reporting, clear provisions on the use and sharing of
information and confidentiality, notification of cybersecurity breaches, compliance with records retention and destruction, privacy and information security laws and insurance.
Cybersecurity Program Best Practices – Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct annual cybersecurity awareness training.
- Implement and mange a secure system development life cycle (“SDLC”) program.
- Have an effective business resiliency program addressing business continuity, disaster
recovery, and incident response.
- Importantly, encrypt sensitive data, both stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Also, appropriately respond to any past cybersecurity incidents.
Online Security Tips – Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce risk of fraud and loss. Participants are encouraged to:
- Monitor their online accounts
- Select strong passwords
- Use multi-factor authentication
- Keep information up to date
- Close unused accounts
- Avoid free Wi-Fi
- Beware of phishing attempts
- Use antivirus software and keep apps and software current
- Know how to report theft and security incidents.
Lebel & Harriman will discuss the cybersecurity guidance with plan sponsors during the
fiduciary plan review process. We will work with you to determine whether appropriate precautions to mitigate cybersecurity risks are in place. As part of this review, we will be reaching out to recordkeepers and requesting confirmation of compliance with Cybersecurity Program Best Practices.
The good news is that the DOL did not assign sole responsibility to mitigate cybersecurity risks on one party. The issuance of guidance to multiple parties, including participants, signals the need for all parties to work collectively to address these risks. However, should you have any questions on the guidance, please do not hesitate to contact your Lebel & Harriman team.
1As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.
*Matthew does not provide legal services for clients and he is currently not licensed to practice law. Attorney-Client privilege does not apply to communications. Lebel & Harriman is not a law firm. The information contained in this email, including its attachments, is not protected information and may be subject to disclosure to the full extent of the law.
The information presented here is for educational purposes only and is not intended to provide specific advice or recommendations for any individual nor does it take into account the particular investment objectives, financial situation or needs of individual investors. The information provided has been derived from sources believed to be reliable, but is not guaranteed as to the accuracy and does not purport to be a complete analysis of the material discussed. This material is not intended to provide, and should not be relied on for tax advice. Any tax advice contained herein is of a general nature. You should seek specific advice from your tax professional before pursuing any idea contemplated.