Archived Insight | April 21, 2021
The DOL has issued three pieces of non-regulatory guidance on reducing cybersecurity risks in ERISA retirement plans. These items are the first official guidance from the DOL on this increasingly critical issue.
The guidance does not specifically address ERISA group health and welfare plans, but there appears to be no reason why the reasoning of the approach and the best practices and tips identified would not apply to such plans.
Although governmental retirement plans are not subject to ERISA fiduciary rules or DOL requirements, the DOL guidance on cybersecurity practices provides recommendations and best practices, which can serve as practical and valuable guidance to governmental retirement plans.
The three pieces of guidance are:
The guidance answers a number of questions for ERISA plan sponsors and fiduciaries. It states that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” It also clarifies that the sponsor or fiduciary needs to evaluate, select and contract with affected service providers that take steps to minimize cybersecurity risks and monitor the provider to ensure compliance with contract terms.
The guidance does not specify minimum requirements for the sponsors and fiduciaries to follow. Instead, in accordance with the DOL’s longstanding facts-and-circumstances approach, the guidance advises sponsors and fiduciaries of best practices and leaves it to them which ones to apply in accordance with the facts and circumstances of their plans.
In the press release announcing the guidance, the DOL also reminds stakeholders that the 2002 electronic recordkeeping regulations and the new voluntary electronic disclosure safe harbor regulations finalized in 2020 contain related requirements. (For a summary of the electronic recordkeeping regulations, see our 2002 publication. We discussed the electronic disclosure safe harbor regulations in a May 28, 2020 insight.) The DOL gives no indication that it will be providing any further guidance in the near term.
We briefly describe each piece of the new guidance in this insight.
The DOL has a longstanding interest in cybersecurity issues for retirement plans. It made retirement plan cybersecurity a subject of ERISA Advisory Council reports in 2011, 2015 and 2016. Starting a few years ago, it began to include questions about cybersecurity policies, attacks and responses in audit requests for retirement plan documents. Through the years, however, the DOL had not provided formal guidance for plans sponsors and fiduciaries on the question of whether they were responsible for taking action with regard to their plans’ cybersecurity risks.
At the request of Congress, in February 2021, the Government Accountability Office (GAO) issued a report on cybersecurity risks in defined contribution plans. The GAO recommended that the DOL formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in 401(k) and other retirement plans. The GAO also recommended the DOL publish minimum expectations for addressing such risks.
This guidance provides 12 best practices that plan sponsors and fiduciaries may wish to ask plan service providers to follow, along with a discussion of each practice.
These best practices generally parallel the privacy rules for group health plans under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). They include such practices as having a formal, well-documented cybersecurity program. Retirement plans may wish to consult HIPAA experts in deciding what practices to adopt. They should be aware that some of the DOL suggested best practices go further than the related HIPAA rules, including, for example, the best practice recommendations that risk assessments be conducted annually and be performed by an independent third party.
This guidance provides six tips to help fiduciaries identify service providers that maintain plan records and secure participant data and plan accounts. These include asking about the service provider’s information security standards, practices and policies, and audit results, as well as how the service provider validates its practices.
The guidance recommends that the service provider contract should include a requirement that the service provider comply with cybersecurity and information security standards.
The final piece of guidance is for participants and beneficiaries. It provides a list of basic rules to follow to help reduce the risk of fraud and theft.
The DOL’s recommended rules are similar to the rules generally recommended to protect private data. They include using strong passwords and multi-factor authentication, avoiding free, non-secure Wi-Fi, and being suspicious of emails that could be phishing attacks.
It appears that in auditing plans, the DOL will look to its best practices guidance to review what plans are doing. Plan sponsors may wish to review their current practices, including their service-provider contracts, to bring them into compliance with the practices DOL has identified.
Plan sponsors should consider this new guidance as they select and monitor their retirement plan service providers that have access to plan-related data and technology.
Additionally, to the extent that plan sponsors are using individually identifiable data of plan participants (e.g., birth date and Social Security number) plan sponsors may wish to review those practices to assure that they are meeting these new fiduciary best practices, and potentially retain a cybersecurity expert to audit those practices.
Finally, plan sponsors should review existing insurance policies and determine whether cybersecurity insurance would be appropriate.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
Don't miss out. Join 16,000 others who already get the latest insights from Segal.