Overview

Action Items

  • Review existing DOL cybersecurity guidance to understand DOL’s view on cybersecurity “best practices” for retirement plans.
  • Review existing plan cybersecurity practices and procedures and measure them against the DOL’s guidance.
  • Review plan service provider hiring practices and contracts with such service providers in light of the DOL’s cybersecurity guidance.
  • Consider distributing DOL’s online security tips to plan participants and keeping a record of that distribution.
  • Consult with legal counsel regarding any questions or issues respecting compliance with the DOL’s cybersecurity guidance.

Overview

Because cybersecurity, and particularly cyber-related breaches, continues to be at the forefront of issues impacting companies as well as their employees, shareholders and customers, among others, we are taking this opportunity to remind retirement plan sponsors of the DOL’s cybersecurity guidance. The DOL’s cybersecurity guidance is set forth in three separate documents issued by the Employee Benefit Security Administration:

The DOL’s cybersecurity guidance is directed toward plan sponsors, fiduciaries, service providers, participants and beneficiaries of ERISA retirement plans.[1] The guidance provides “tips” and “best practices” for identifying and mitigating cybersecurity risks.

This Alert is intended to provide an overview of the DOL’s cybersecurity guidance. We recommend that all ERISA retirement plan adjacent individuals review and consider the guidance in its entirety.

Cybersecurity Program Best Practices

The DOL’s cybersecurity guidance begins with a reminder of the general landscape in which retirement plans operate and a warning –

“ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”

The DOL notes 12 “best practices” for cybersecurity programs aimed at plan fiduciaries, recordkeepers, and service providers. In meeting their obligations to retirement plans, service providers should:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

The DOL’s guidance expands on each of the 12 best practices. Recordkeepers and other service providers responsible for plan-related IT systems and data are advised to comply with the best practices, and plan fiduciaries are advised to consider such best practices in making prudent decisions on the service providers they hire.

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

Given that employer-sponsors of 401(k) and other types of pension plans often rely on other service providers to maintain plan records and keep participant data confidential and plan accounts secure, the DOL advises plan sponsors to use service providers that follow strong cybersecurity practices. To help employer-sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers, the DOL sets out six “tips” for employer-sponsors and fiduciaries of all sizes:

  1. Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
  2. Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
  6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants (e.g., information security reporting, use and sharing of information, notification of cybersecurity breaches, insurance, etc.).

Online Security Tips

Finally, the DOL issued a series of online security “tips” for plan participants to consider with respect to their retirement plan accounts and benefits. Employer-sponsors and fiduciaries should consider making this list of tips available to plan participants and beneficiaries.

The DOL’s online security “tips” for participants (which, in practice, can be said to apply to almost any online scenario) include:

  1. Register, set up and routinely monitor your online account.
  2. Use strong and unique passwords.
  3. Use multi-factor (aka, “two-factor”) authentication.
  4. Keep personal contact information current.
  5. Close or delete unused accounts.
  6. Be wary of free wi-fi.
  7. Beware of “phishing” attacks.
  8. Use antivirus software and keep apps and software current.
  9. Know how to report identity theft and cybersecurity incidents. The FBI and the Department of Homeland Security have set up valuable sites for reporting cybersecurity incidents:

We Can Help You

We thoughtfully approach each of our client’s legal needs and provide individually tailored solutions to help our clients both meet developing legal requirements and strengthen their investor relations. Please contact us if you would like to discuss the DOL’s cybersecurity guidance and its application to, and impact on, your ERISA plans.


[1] As drafted, it is not clear if the DOL’s guidance is intended to apply to all ERISA plans, including health and welfare plans, or only retirement plans.

Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic, and enable social media features. By continuing to use our website, you agree to our use of cookies.