Cybersecurity has become a daily struggle for businesses. In the last decade, cybersecurity breaches soared, with companies like Capital One having more than 100 million individuals impacted.
The unprecedented technological challenges caused by the global pandemic have exacerbated the cybersecurity vulnerabilities of employers, many of which already struggled with unprotected data issues and weak cybersecurity practices. Even in a post-pandemic business environment, it remains imperative that companies employ best practices for cybersecurity awareness, prevention, and security as a part of their culture.
These cybersecurity practices extend beyond general business transactions and include, importantly, employer-sponsored retirement plans, such as 401(k) and pension plans. As of 2018, the Employee Benefits Security Administration (EBSA), which is the enforcement arm of the Department of Labor (DOL) for benefits-related matters, estimates that there are 34 million participants in private pension plans and 106 million participants in defined contribution plans (e.g., 401(k) plans)—collectively representing estimated aggregate assets of $9.3 trillion.
Because retirement plan participant information is commonly maintained and accessible online, retirement plans are a prime target for cybersecurity criminals. The absence of sufficient cybersecurity protections places plan participants and plan assets at risk from both internal and external cybersecurity threats. Separate from the general business reasons for the provision of adequate protection of benefit plan participants’ money and data, ERISA requires plan fiduciaries (e.g., employers) to take appropriate precautions to mitigate these risks.
On April 14, 2021, the DOL issued a triad of informal guidance (DOL cybersecurity guidance) as follows:
- DOL’s Tips for Hiring a Service Provider with Strong Cybersecurity Practices. The DOL proffers best practices focused on plan fiduciaries hiring (and monitoring) third parties to secure and protect participant data.
- DOL’s Cybersecurity Program Best Practices. This guidance focuses on best practices for plan recordkeepers and other service providers responsible for plan-related IT systems and data.
- Online Security Tips. These recommendations include strategies to plan participants and beneficiaries to avoid losses to their account balance due to online cybersecurity fraud.
Plan Fiduciaries: Tips for Hiring a Service Provider with Strong Cybersecurity Practices
Most plan fiduciaries rely upon third-party service providers to perform tasks necessary to establish and maintain compliant benefit plans. Under ERISA, plan fiduciaries must, among other actions, prudently select and monitor plan service providers. When engaging new service providers or monitoring existing service providers, many plan fiduciaries conduct a request for proposal (RFP). The DOL cybersecurity guidance provides numerous recommendations for a plan’s hiring a service provider as well as provisions for inclusion in the plan’s service provider contract.
Among other important requirements and obligations, a plan fiduciary should also include in the RFP cybersecurity questions and representations to which a service provider must respond to be considered for the engagement. The DOL cybersecurity guidance two-pager proffers six primary considerations for plan fiduciaries’ evaluation of a service provider, including:
- Consider the service provider’s cybersecurity standards, practices, policies, and results; and compare these to standards adopted by other service providers.
- Request validation of the service provider’s cybersecurity practices and the levels of security standards that the provider claimed to have met and implemented.
- Consider the service provider’s industry track record (including prior security incidents and related legal proceedings).
- Evaluate whether the service provider has experienced prior security breaches and how it has responded. Consider the service provider’s cybersecurity insurance liability coverage (including coverage for breaches caused by both internal and external threats).
- Ensure, when contracting with a service provider, that the contract stipulates the provider’s adherence to ongoing cybersecurity and information security standards.
The DOL cybersecurity guidance two-pager concludes with a recommendation of specific terms to include in the service provider agreement, which are intended to enhance cybersecurity (e.g., information-security reporting and notification requirements for cybersecurity breaches).
The DOL will likely add cybersecurity documentation and practices to the list of retirement plan audit issues consistent with the new guidance. Plan fiduciaries should review pre-existing and prospective service provider agreements and provider-monitoring processes to determine alignment with the DOL cybersecurity guidance—and negotiate explicit inclusion of the DOL’s recommendations and best practices in those agreements.
Plan Service Providers: Cybersecurity Program Best Practices
The second set of DOL cybersecurity guidance includes best practices for recordkeepers and other service providers responsible for retirement plan data. The DOL recommends that plan service providers responsible for plan-related IT systems and data maintain:
- a formal, well-documented cybersecurity program;
- prudent, annual risk assessments;
- reliable, annual third-party audit of security controls;
- clearly defined and assigned information security roles;
- strong access to control procedures;
- appropriate security reviews and independent security assessments for assets or data stored in the cloud or managed by a third-party service provider;
- periodic cybersecurity awareness training;
- a secure system development life cycle (SDLC) program;
- an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- encryption of sensitive data, stored and in transit;
- strong technical controls consistent with best security practices; and
- a paradigm for appropriate response to any past cybersecurity incidents.
Plan fiduciaries should consider engaging IT professionals or a third-party cybersecurity consultant to verify alignment between the DOL’s enumerated best practices and the service provider’s actual operation.
Plan Participants: Online Security Tips
The third set of DOL cybersecurity guidance proffers basic rules aimed at reducing the risk of fraud to plan participants and beneficiaries who review their retirement accounts online. Acknowledging that plan participants play a critical role in mitigating cybersecurity risk, the DOL’s online cybersecurity tips seek to diminish the likelihood of retirement plan account losses caused by cybersecurity fraud. Under the DOL’s online security tips, plan participants can mitigate retirement plan account loss risk by following these basic rules:
- routine monitoring of online retirement plan account(s);
- use of unique passwords for online accounts;
- use of multi-factor authentication;
- maintenance of updated personal contact information;
- closing of unused online accounts;
- avoidance of free wi-fi;
- avoidance of phishing attacks;
- use and maintenance of antivirus software; and
- immediate reporting of identity thefts and cybersecurity incidents.
Retirement plan sponsors and fiduciaries should consider adding the DOL’s online security tips to plan participant notices, including summary plan descriptions (SPDs), annual notices, enrollment materials, and other participant-related disclosures, subject to review by legal counsel for accuracy and other ERISA-related considerations
Plan Sponsors: Develop a Robust Cybersecurity Paradigm Now
The DOL cybersecurity guidance acknowledges that cybersecurity protection for retirement plans necessitates a multifaceted approach, with a myriad of parties engaged and committed to initial and ongoing investment in online and operational security measures. The DOL cybersecurity guidance does not have the deferential authority of a regulation. The new guidance also does not clarify whether ERISA preempts state cybersecurity laws, which often define cybersecurity best practices. The DOL cybersecurity guidance does provide helpful insight into the DOL’s expectations with respect to an ERISA plan fiduciary’s prudence obligation as it relates to cybersecurity matters. This new guidance also provides helpful information to employers with respect to their ongoing governance obligations, including their fidelity bond and fiduciary and other insurance needs.
Plan sponsors are well-advised to work with retirement plan service providers and ERISA counsel to implement a well-developed cybersecurity compliance paradigm, with the goal of protecting plan participants and beneficiaries from online attacks, all while limiting plan fiduciaries’ liability exposure. Only in such an ecosystem can this new triad of cybersecurity measures have the teeth it is intended to have based upon the DOL cybersecurity guidance.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Anne Tyler Hall is the founding attorney of Hall Benefits Law, and her team counsels clients on fiduciary matters, healthcare reform, executive compensation, health and welfare benefits, and retirement plan legal issues.
Eric Schillinger is Lead ERISA Counsel at HBL and concentrates his practice in the areas of qualified, health and welfare, and nonqualified employee benefit plans, including pension, defined contribution, deferred compensation, health care, life insurance, disability, fringe, and other employer-provided benefits.
Bloomberg Tax Insights articles are written by experienced practitioners, academics, and policy experts discussing developments and current issues in taxation. To contribute, please contact us at TaxInsights@bloombergindustry.com.