The Department of Labor (DOL) recently issued long-awaited guidance on the fiduciary duties of plan sponsors to protect retirement plans from cybersecurity threats. The guidance is aimed at enhancing the protection of more than $9.3 trillion in retirement defined contribution plan assets. The DOL guidance includes a list of best practices for retirement plan recordkeepers and other service providers to follow, as well as tips that employers should consider when entering into service agreements with retirement plan recordkeepers and other service providers. The guidance also includes tips for employees to keep their accounts safe. This article will focus on the steps plan sponsors should implement to protect plans from cybersecurity threats.
Background
In recent years, the number of participant accounts subject to hacking or online identity threats has grown, but there has been an absence of official guidance from DOL on fiduciary responsibility, which has led to uncertainty. However, we have advised clients that plan fiduciaries likely have a fiduciary responsibility to mitigate cybersecurity risks. Yet, without guidance, plan fiduciaries have not always been in a position to enter into favorable contracts with recordkeepers or obtain sufficient information about the internal controls of some recordkeepers. As the risks have increased, plans have been sued by participants over losses of retirement assets, and plan fiduciaries have faced claims of fiduciary breach as well as demands to restore the lost assets.
In 2016, the ERISA Advisory Council published a report recommending that DOL provide information to educate the employee benefits community on cybersecurity risks and best practices, but the issue of fiduciary responsibility remained unsettled. Then, in February 2021, the United States Government Accountability Office (GAO) issued a report recommending formal DOL guidance and outlined the myriad of risks to data and money in defined contribution plans. The GAO report is a thorough explanation of cybersecurity risks to defined contribution plans and serves as a detailed roadmap of the uses of data and as source material for the new guidance.
Summary of the Guidance
The new DOL guidance clearly states that employers have a fiduciary duty under the Employee Retirement Income Security Act (ERISA) to ensure proper mitigation of cybersecurity risks. This fiduciary responsibility is derived from the duties of prudence and loyalty. The guidance reiterates that plan fiduciaries must also prudently select and monitor plan recordkeepers and other service providers.
This guidance is a very important tool that allows plan fiduciaries to effectively negotiate with recordkeepers and other service providers to mitigate the risks and obtain favorable contract terms in the event of a breach, intrusion, or actual loss. While cybersecurity is the plan sponsor's fiduciary duty, the plan sponsor should ensure that all service providers will also comply with the new DOL guidance.
The DOL guidance was issued in three separate parts:
- First is "Tips for Hiring a Service Provider," provides tips for plan sponsors to consider in hiring service providers.
- Second is "Cybersecurity Program Best Practices," which outlines cybersecurity program best practices for recordkeepers and other service providers, including the need for a formal recordkeeper cybersecurity program.
- Last is "Online Security Tips," which offers tips for participants and beneficiaries to follow in protecting their own online retirement accounts against fraud and loss.
While this guidance is not a regulation, we understand that DOL intends to have its investigators utilize the guidance in future plan audits, so plans should comply with the guidance. The remainder of this article will summarize the highlights of DOL's recommended best practices and tips for plan sponsors.
DOL Tips for Employers
As noted above, plan fiduciaries are obligated to ensure that plan recordkeepers and other service providers have robust cybersecurity practices. Before entering into a service agreement with recordkeepers and other service providers, the DOL recommends asking the following questions as part of the employer's due diligence:
- What are the service provider's cybersecurity standards, practices, policies, and audit results?
- How does the service provider validate its practices, and what level of security standards has it met and implemented?
- What is the service provider's track record in the industry regarding its publicly reported security incidents, litigation, and legal proceedings?
- What past security incidents have occurred, and how has the service provider responded?
- Does the service provider have insurance policies that would cover losses caused by cybersecurity and identity theft breaches, including threats by the service provider's own employees and third-party threats?
Such questions will help a plan fiduciary evaluate whether the service provider has adequate data protection practices in place and whether entering into a service agreement with such a service provider is prudent. In addition, the DOL's guidance set forth minimum requirements for any contract with such a service provider, including:
- A requirement that the service provider obtain an annual third-party audit of its security practices and procedures;
- Provisions requiring the service provider to keep private information confidential, to prevent the use or disclosure of confidential information without written approval, and to satisfy a strong standard of care with respect to the protection of confidential information;
- A requirement that the service provider provide notice of a security breach within a specified number of days and that the service provider cooperate to investigate and address a breach;
- A requirement that the service provider comply with federal, state, and local laws, rules, regulations, directives, and other requirements concerning the privacy, confidentiality, and security of participants' personal data; and
- A requirement that the service provider maintain certain levels of cyber liability and privacy breach insurance coverage, in addition to fidelity bond and blanket crime coverage.
By taking the steps above, plan fiduciaries can enhance the level of data protection and security of assets provided to their retirement plan participants and can help ensure that they are complying with their ERISA fiduciary duty to prudently select and monitor their plan service providers.
You should work with legal counsel to document the plan sponsor's review of the plan service providers' cybersecurity measures and discuss changes to contract language. Venable also has Cybersecurity Risk Assessment Services that can help you review your cyber risks while, to the greatest extent possible, maintaining legal privilege.