Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The essence of today’s guidance:
“Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
What that obligation means at this point is at least what EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:
- Cybersecurity Program Best Practices
- Tips for Hiring a Service Provider with Strong Security Practices
- Online Security Tips
Acknowledging ERISA-covered plans hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of the EBSA’s best practices include:
- Maintain a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third-party audit of security controls.
- Follow strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
The EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures. It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.
Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:
- Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, “Trust, but verify.” This also applies to all third-party plan providers, even large, well-known organizations.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider’s response to the incident.
- Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider’s own employees or contractors, or a third party hijacking a plan participant’s account.
- Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.
It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider. Here are some reasons why.
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.