Author: Kelly Lazzara
On April 14, 2021, the U.S. Department of Labor "DOL") issued retirement plan cybersecurity best practice guidance. The guidance was issued for retirement plan sponsors and fiduciaries regulated under the Employee Retirement Income Security Act ("ERISA"). This is the first guidance issued to retirement plan stakeholders and appears to establish a framework for sponsors and fiduciaries to hire service providers, establish cybersecurity program best practices, and to educate plan participants and beneficiaries to help protect their own data.
In its news release, the DOL provides that ERISA requires plan fiduciaries take appropriate precautions to mitigate the internal and external cybersecurity threats. This is a clear statement from the DOL that it is a fiduciary duty to proactively address cybersecurity risks.
In three separate documents, the DOL provides guidance on how to hire service providers with strong cybersecurity practices, best practices for a cybersecurity program, and online security tips for participants and beneficiaries.
Tips for Hiring Service Providers with Strong Cybersecurity Practices
It is a fiduciary responsibility under ERISA to prudently select and monitor service providers. In keeping with that responsibility, the DOL offered tips for hiring retirement plan service providers. However, the overarching theme of 'tips' addresses not just ideas for hiring retirement plan service providers, but engaging in contracts with retirement plan service providers to enable on-going monitoring of cybersecurity.
As part of its 'tips' for hiring retirement plan service providers, the DOL offers topics to consider ranging from how past breaches were handled to insurance, as well as making clear that contracts with service providers require ongoing compliance with cybersecurity and information standards.
The DOL's tips include asking about the service provider's security standards, practices and policies, as well as audit results, and comparing those to industry standards. The DOL indicates that a fiduciary can have more confidence in service providers whose systems are backed by annual audit reports.
As noted above, the DOL also suggests that contracts with the service provider should provide the fiduciary with the ability and right to review audit results demonstrating compliance with whatever level of security standards the service provider is held. This suggests that fiduciaries should have the right (and responsibility) to review the audit during the term of a contract - not just at the initial engagement with the service provider. Plan sponsors should also engage in annual information security reporting, where the service provider must have a third-party audit to determine and demonstrate its compliance with security policies and procedures.
Cybersecurity Best Practices
The DOL states plainly that's responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. The best practices are published for record-keepers and other service providers who are responsible for plan-related IT systems and data. However for retirement plans that use a sponsor's internal resources to support plan-related functions, such as internal IT systems and data, these best practices would seemingly apply internally, as well.
This emphasizes the need to first identify and ensure responsibility over plan functions and data so that internal controls can be assessed or developed in light of the best practices, as well as those cybersecurity practices of service providers.
Online Security Tips for Participants and Beneficiaries
The DOL suggests online security practices for plan participants and beneficiaries, such as registering, setting up, and routinely monitoring online accounts, using strong and unique passwords, multifactor authentication, and keeping contact information current. Although these best practices are directed to plan participants, plan fiduciaries can help participants use these by setting these as standards for access - such as offering and requiring multifactor authentication, requiring service providers to set minimum password requirements, providing education around cybersecurity, or using antivirus software.
Cybersecurity education is not only critical for access around retirement plans, but also for general workplace security, as well. Many employers routinely provide education to protect assets, but should consider expanding and extending the education to apply to personal and retirement plan cybersecurity.
This guidance establishes guidelines for fiduciaries to use and follow in selecting service providers and maintaining its own internal cybersecurity processes. A close read of the tips may suggest that a plan fiduciary should review current contracts and possibly amend those contracts now or at the next contract negotiation to add in these tips' with service providers. It's clear, though, that some sort of action should be taken now to implement the 'tips' and best practices.
For many retirement plan fiduciaries, assessing whether a service provider or its own internal cybersecurity practices meet these best practices is not within the fiduciaries' area of expertise. Under ERISA's prudence standard, fiduciaries must discharge their duties with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use. This means that where an ERISA fiduciary is not an expert in an area to which a fiduciary responsibility applies, it should consult an expert to help them understand and carry out the fiduciary responsibilities and make fiduciary decisions.
Additionally, as with most fiduciary matters and decisions, process and procedure are as important as the decision. Plan fiduciaries should consider how to begin to develop prudent procedures to implement these new cybersecurity best practices. As always, fiduciaries should carefully document any steps they take to implement these practices.
Against the backdrop of this first cybersecurity guidance, retirement plan fiduciaries should begin the process of education about cybersecurity best practices with new and existing service providers. Fiduciaries should also engage internal or external experts to help meet this requirement and the prudent person standard.
Finally, whether cybersecurity was a fiduciary responsibility was a long-standing question. This guidance, although informal, indicates clearly that, in the DOL's view, cybersecurity risk mitigation is a fiduciary responsibility.