The U.S. Department of Labor (“DOL”) recently issued guidance on best practices for maintaining cybersecurity directed to plan sponsors, fiduciaries, record-keepers and participants of employee benefit plans governed by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). While some prior cybersecurity guidance has been issued for certain employee benefit plans governed by ERISA, this is the first guidance issued by the Employee Benefits Security Administration (EBSA) of the DOL related to cybersecurity.
Although the guidance focuses primarily on retirement plans (e.g., pension and 401(k) profit sharing plans), the guidance applies to any ERISA-covered plans, including health and welfare benefit plans, that would be subject to the same fiduciary standards. Implicit in the DOL’s guidance is that plan fiduciaries of pension benefit plans as well as health and welfare benefit plans have a fiduciary duty to secure plan data and participant information.
The DOL guidance takes the form of ”tips” and “best practices”:
- Tips for Hiring a Service Provider: Guidance to plan sponsors and fiduciaries regarding the prudent selection and monitoring of a service provider with strong cybersecurity practices and, as required by ERISA.
- Cybersecurity Program Best Practices : Assistance to plan fiduciaries and record-keepers in their responsibilities under ERISA to manage cybersecurity risks.
- Online Security Tips : Basic rules for plan participants and beneficiaries who check their retirement accounts online to reduce the risk of fraud and loss.
The guidance is intended to complement the EBSA’s regulations related to electronic records and disclosures to plan participants and beneficiaries, which include provisions requiring electronic recordkeeping systems to have reasonable controls, adequate records management practices in place, and further requiring that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.
Plan sponsors and other plan fiduciaries and plan record-keepers should anticipate that in future DOL audits, investigations and enforcement actions, the DOL’s cybersecurity guidance will serve as a benchmark for assessing whether adequate protections have been put in place to protect plan data and participant information against cybersecurity risks. In fact, recent DOL audit questionnaires have included a series of questions related to cybersecurity, such as whether the third party service provider maintains a privacy and security policy that applies to personally identifiable information for benefit plans. The DOL is also interested in whether the third party service provider has cyber insurance, requires authentication procedures, how they maintain technology/implement required updates, security requirements for information (from storage, length of retention period, to destruction), and training requirements for employees with access to plan information.
Tips for Hiring a Service Provider:
The first part of the DOL’s guidance is directed to plan sponsors and fiduciaries to help them meet their responsibilities under ERISA to prudently select and monitor service providers maintaining plan records and/or participant data. These include:
- Conducting due diligence regarding a service provider’s information security standards, practices and policies and comparing them to recognized industry standards.
- Review and validation of the service provider’s cybersecurity by an independent auditor.
- Evaluation of the service provider’s track record in the industry, including public information regarding information security breaches and other incidents.
- Determining whether the service provider maintains adequate cybersecurity insurance covering both internal and external threats.
- Review of service contract to confirm service provider’s ongoing cybersecurity obligations and to identify any contractual provisions limiting the service provider’s liability in the event of a cybersecurity breach.
- Ongoing monitoring of the service provider, including requiring annual independent audit reports and reporting of security breaches.
Cybersecurity Program Best Practices:
The second part of the DOL’s guidance is directed to plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks. It is intended that it be used by plan record-keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions in selecting their service providers.
The DOL guidance lists twelve (12) best practices:
- Have a formal, well documented cybersecurity program that identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information.
- Conduct prudent annual risk assessments to identify, estimate, and prioritize information system risks.
- Have a reliable annual third party audit of security controls to provide a clear, unbiased report of existing risks, vulnerabilities, and weaknesses.
- Clearly define and assign information security roles and responsibilities to assure that the organization’s cybersecurity program is managed at the senior executive level and executed by qualified personnel.
- Have strong access control procedures to assure that users are who they say they are and that they have the appropriate access to IT systems and data.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training to set clear cybersecurity expectations for all employees and educate employees to recognize the methods used to illegally access a network or computer to help prevent cyber-related incidents and respond to potential threats.
- Implement and manage a secure system development life cycle (SDLC) program that includes activities such as penetration testing, code review, and system architecture analysis as an integral part of secure system’s development.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response that can quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents, including, but not limited to, giving affected plans and participants the information necessary to prevent/reduce injury.
Online Security Tips:
The online security tips are directed at plan participants and beneficiaries who check their retirement accounts online and offer basic rules to reduce the risk of fraud and loss. These include:
- Register, set up, and routinely monitor your online account;
- Use strong and unique passwords;
- Use multi-factor authentication;
- Keep personal contact information current;
- Close or delete unused accounts;
- Be wary of free Wi-Fi;
- Beware of phishing attacks;
- Use antivirus software and keep apps and software current; and
- Know how to report identity theft and cybersecurity incidents.
If you have any questions on the DOL’s guidance or would like assistance with developing a privacy and cybersecurity compliance program with an emphasis on employee benefit plan compliance, please reach out to one of our team members for assistance.
 See for example, The National Institute for Standards and Technology’s Implementing the HIPAA Security Rule: Call for Comments on SP 800-66, Revision 1 https://csrc.nist.gov/News/2021/call-for-comments-on-sp-800-66-rev-1 We note that the DOL’s ERISA Advisory Council had previously provided a report that outlined “Cybersecurity Considerations for Benefit Plans” and included an appendix with “Considerations for Managing Cybersecurity Risks” but that such guidance was not issued by the DOL itself.