Cybersecurity concerns, as an issue did not really exist at the time ERISA was enacted, but now occupy an ever-increasing part of mind for plan fiduciaries, the IRS, and the DOL. Little existed in the way of guidance, but that has started to change. On April 14, 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued its first cybersecurity guidance in the form of best practices for retirement plans.
The guidance was issued in three parts:
- Tips for Hiring a Service Provider,
- Cybersecurity Program Best Practices, and
- Online Security Tips
This guidance is not in the form of a regulation. Never-the-less, we understand that the DOL has already initiated investigations regarding cybersecurity practices. With that in mind, it will pay to briefly review the guidance, as well as the question the DOL is asking in audits. We will look at all three sections of the guidance. The first section deals primarily with responsibilities for the plan sponsor and fiduciaries regarding hiring a service provider. The second section details responsibilities for service providers, and the third can be considered tips for users of the recordkeeping or service provider systems.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
Six tips were provided to assist plan sponsors and fiduciaries to meet their responsibilities under ERISA to prudently select and monitor service providers.
- Ask service providers for information about security standards, practices and policies, and audit results so that they can be compared to industry standards. Look for industry standards for information security, and an audit of those procedures by an outside party that documents and validates those procedures.
- Ask the vendor what security standards it has met and implemented and how it validates those standards. Request the right to review audit results.
- Evaluate the service provider's history and track record regarding security incidents and litigation related to the vendor’s services.
- Ask what security breaches have been experienced in the past, and how the service provider responded.
- Determine what insurance policies the vendor has that would cover cybersecurity losses and identity theft breaches.
- Be sure any service provider contract requires ongoing compliance with cybersecurity standards. Guard against contract provisions that limit service provider responsibility for IT security breaches. Try to include terms in the contract that would enhance cybersecurity for the Plan and its participants, such as:
- Require the service provider to obtain an annual third-party audit of compliance with security policies and procedures.
- The contract should contain clear provisions on the Use and Sharing of Information and Confidentiality.
- The contract should require the notification of cybersecurity breaches, including timing , who should be notified, and require the providers’ cooperation to investigate and reasonably address the cause of the breach.
- The contract should require the service provider to comply with records retention and destruction, privacy, and information security laws.
- Inquire about and perhaps require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage. Understand any terms and limits of any coverage.
Cybersecurity Program Best Practices
The Employee Benefits Security Administration has prepared a list of best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data and for plan fiduciaries making prudent decisions on the service providers they select. Plan’s service providers should:
- Have a formal and well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Since these suggestions apply to service providers, your role as a plan fiduciary includes verifying compliance by the recordkeepers and service providers you retain for the plan.
Online Security Tips
As users of systems, we are also tasked with taking appropriate security measures. You have probably heard most of these before and practice them now. To reduce the risk of fraud and loss these guidelines will help:
- Register, set up and routinely monitor online accounts.
- Strong and unique passwords should be used.
- Multi-factor authentication should be used as a second credential to verify your identity.
- Personal contact information should be kept current.
- Unused accounts should be closed or deleted.
- Be careful whenever using free wi-fi.
- Beware of Phishing attacks.
- Antivirus software should be current and regularly updated.
- Be sure to report identity theft and cybersecurity incidents.
Cybersecurity is a complex and rapidly evolving threat to your company, your plan and plan assets, and participant accounts and information. These threats could come from external or internal actors, and can exploit weaknesses in security from within your company, your plan, or service providers. We would recommend that you seek guidance and assistance from specialists, including those charged with security in your own organization as well as outside counsel or other advisors.
Want to read more on the DOL's cybersecurity guidance? Check out this Nixon Peabody Article: