On April 14, 2021, the Department of Labor (DOL) released a series of long-anticipated cybersecurity tips and best practices for ERISA-covered benefit plans, which include retirement and welfare plans. The guidance is directed at plan sponsors and fiduciaries (and, at least indirectly, plan service providers) as well as plan participants and beneficiaries. The DOL estimates that these benefit plans hold $9.3 trillion in assets, along with personal data on millions of plan participants, making them a hotbed for cybertheft and cybersecurity issues. Accordingly, without cybersecurity protections in place, assets and participants are at risk. Plan fiduciaries have an obligation to mitigate these risks, though much of the guidance provided by DOL is aimed at plan participants and beneficiaries rather than plan fiduciaries.
The guidance released by DOL consist of the following: tips for hiring a service provider, cybersecurity program best practices, and online security tips. The main points of each are described below.
The general premise is that plan sponsors should use service providers that have strong cybersecurity precautions in place. The DOL sets forth specific steps and contractual terms for plan sponsors to follow to ensure they have done their due diligence when contracting with a service provider. The DOL has suggested the following:
- Ask about the provider’s information security standards (specifically if it follows a recognized standard), practices and policies, and audit results (and if it uses a third-party auditor) and compare these to the industry standards adopted by other financial institutions. The contract with the provider should specify that they must meet all applicable federal, state and local laws and requirements pertaining to the privacy, confidentiality or security of a participant’s or beneficiary’s personal information.
- Find out how the service provider validates its practices and what levels of security standards it has met and implemented. The DOL recommends ensuring there are contract provisions that allow you to review audit results demonstrating compliance with the standard. In addition, include contractual terms requiring a provider the obligation to keep information private, prevent the use or disclosure of confidential information without permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse.
- Evaluate the provider’s track record in the industry by researching and reviewing public information regarding any prior security incidents, litigation and legal proceedings related to the provider.
- Ask the provider if they have had past security breaches, how those breaches occurred, and how the provider responded. Any contract with the provider should spell out how quickly the plan sponsor should be notified if there has been an incident or breach and should require the provider’s cooperation to investigate and address the cause of the breach.
- Inquire if the provider has insurance that would cover losses resulting from cybersecurity and identity theft breaches. If not, consider requiring the provider to carry insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket criminal coverage. It is important to understand the terms and limits of any coverage.
The DOL set forth 12 “best practices” that recordkeepers and other service providers responsible for plan-related IT systems and data should use and that prudent plan fiduciaries should consider when hiring service providers. Of note is the DOL’s broad statement that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” The guidance goes into significant detail on each of the items, but the general list is set forth below:
- Have a formal, well documented cybersecurity program. The DOL stated that a “sound” cybersecurity program will identify and assess both internal and external threats to the confidentiality, integrity or availability of stored, nonpublic information. Specifically, such a program should enable the organization to:
- identify the risks
- detect and respond
- disclose as appropriate, and
- restore normal operations and services.
- Conduct prudent annual risk assessments. As threats continually change, it is important to keep the assessment current to account for these changes.
- Have a reliable, annual third-party audit of security controls. Use of a third party allows for a clear and unbiased report of the existing risks, vulnerabilities and weaknesses in cybersecurity program.
- Clearly define and assign information security roles and responsibilities. The DOL notes that the program should be managed by a senior executive, such as the Chief Information Security Officer.
- Have strong access control procedures. Such procedures should focus on authentication and authorization.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training. As employees are often the “weakest link” in an organization’s cybersecurity, comprehensive training should be required for all employees.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program address business continuity, disaster recovery, and incident response. Such program should be written and documented.
- Encrypt sensitive data, stored and in transit. Current, prudent standards for encryption keys, message authentication, and hashing should be in place to protect data at rest and in transit.
- Implement strong technical controls in accordance with best security practices. Hardware, software and firmware should be kept up to date and routine data backups conducted.
- Appropriately respond to any past cybersecurity incidents. Investigation, notification and resolving the problem that led to the breach are actions that should be taken.
The last piece of guidance issued by the DOL is a tip sheet for plan participants and beneficiaries to protect their own information from a cybersecurity attack. The tip sheet advises participants and beneficiaries to reduce the risk of fraud and loss of their retirement assets by setting up and monitoring their online account to avoid cybercriminals assuming their identity, using strong and unique passwords of 14 or more characters, enabling multi-factor authentication such as entering a code sent in real-time via text message, keeping personal contact information current, and providing multiple communication options, closing or deleting unused online accounts, avoiding free WiFi networks, being aware of phishing attempts, using antivirus software and keeping such software current, and lastly, knowing how to report identity theft and cybersecurity incidents.
Many of these practices are similar to those required in other privacy-centered regulatory frameworks such as the HIPAA privacy and security rules and various state data regulations or recommended by cybersecurity experts. While the guidance provided is unlikely to be shocking to most IT security professionals, it does give us insight into what the DOL may look for on an audit of employee benefit plans. The DOL best practices also involve more written documentation of cybersecurity policies and procedures than may be common.
Much of this guidance appears centered around retirement plans, but it is important to remember that group health plans and other welfare plans also are subject to ERISA’s fiduciary duties. Further, it raises the question of whether other privacy-centered enforcement bodies, such as the Department of Health and Human Services Office of Civil Rights (HHS), which enforces the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), will adopt these guidelines to supplement HIPAA’s security rule as it applies to group health plans. Plan sponsors of group health plans subject to HIPAA will need to layer the DOL’s guidelines on top of their HIPAA compliance.
It would behoove plan sponsors to review their cybersecurity practices under these guidelines and document doing so. Plan sponsors also should consider providing plan participants and beneficiaries with a copy of the DOL’s Online Security Tips. Such actions will support plan fiduciaries in demonstrating that they are satisfying their duty to mitigate cybersecurity risk.
Calfee Connections blogs, vlogs and other educational content are intended to inform and educate readers about legal developments and are not intended as legal advice for any specific individual or specific situation. Please consult with your attorney regarding any legal questions you may have. With regard to all content including case studies or descriptions, past outcomes do not predict future results. The opinions expressed may not necessarily reflect the view points of all attorneys and professionals of Calfee, Halter & Griswold LLP or its subsidiary. Updates related to all COVID-19 government assistance programs are provided with the most current information made available to Calfee at the time of publication. Clarifications and further guidance are being disseminated from government authorities on an ongoing basis. All information should be reaffirmed prior to the submission of any application and/or program participation.
- Calfee’s Commitment to Business in Ohio
- Senate Passes CHIPS Act, Incentivizing Intel’s Investment in Ohio
- Calfee NOW: Valerie Pope, Executive Director of the Mechanical Contractors Association of Ohio, on Intel
- Calfee NOW: Congressman Troy Balderson on Intel
- Calfee NOW: Ohio Chamber of Commerce President and CEO Steve Stivers on Intel
- Satisfying Policy Retentions or Deductibles With Other People’s Money
- Calfee NOW Episode 24 With Chris Berry, President and CEO of OhioX
- Who Dey! How to Cheer on Your Cincinnati Bengals Without Committing Trademark Infringement
- Acquiring the Equity of an Entity Taxed as an S Corporation? Consider an “F Reorg.”