The Department of Labor recently issued its first cybersecurity guidelines for plan sponsors, plan fiduciaries, record keepers, plan participants, and beneficiaries. According to the DOL, trillions of dollars in assets in more than 140 million retirement plans across the country could be vulnerable to cybersecurity threats. The department says that the Employee Retirement Income Security Act of 1974 (ERISA) requires plan fiduciaries to take appropriate precautions to minimize the risk of cyberattacks. These guidelines outline the department’s minimum expectations on cybersecurity for ERISA-covered plans.
Which Organizations Are Affected?
Companies and organizations of any size that provide ERISA-covered plans with retirement or health & welfare benefits are expected to follow the guidelines. Plan sponsors and fiduciaries must strive to protect plan asset data and participants’ personally identifiable information (PII). Not all security threats can be prevented and eliminated, but the DOL does expect companies to take reasonable steps to mitigate those risks.
Why Are the New Guidelines Important?
Plan sponsors and service providers who fail to adequately address cybersecurity threats could be subject to potential fines and ongoing compliance audits. They will probably spend a considerable amount of time and resources answering detailed questions from the Department of Labor. Also, if an organization does experience a data breach that adversely affects plan participants, failure to follow the DOL guidelines could leave the organization vulnerable to class action lawsuits and non-compliance actions from other state and/or federal agencies.
What Guidance Does DOL Provide?
The DOL’s Employee Benefits Security Administration (ESBA) has formatted its cybersecurity guidance as a series of tips and best practices aimed at mitigating the effects of cybersecurity issues. The guidance is available online through three separate, interrelated documents. A summary of each is presented below, along with links to each document:
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices. This document is aimed at record keepers and other service providers responsible for plan-related IT systems and data, as well as helping plan fiduciaries who use those firms’ services to make prudent hiring decisions. The document provides detailed guidance in 12 areas for review, including establishing a formal, well-documented cybersecurity program, and conducting regular audits and risk assessments. (https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf)
- Cybersecurity Program Best Practices. How can plan sponsors, and fiduciaries select and monitor service providers with strong cybersecurity capabilities? This document provides a step-by-step guide reviewing the main questions business owners should ask while evaluating recordkeeper programs. (https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf)
- Online Security Tips. These general suggestions are geared towards everyone from sponsors to plan participants. The advice includes creating strong passwords, using anti-virus software, and detecting phishing attacks. (https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf)
What Should Plan Sponsors Do Next?
The best way organizations can demonstrate they are taking appropriate action to address cybersecurity risks is by documenting their due diligence efforts. Suggested steps include:
- Reevaluate cybersecurity practices. Plan sponsors should ensure that contracts with service providers explicitly address each provider’s cybersecurity responsibilities, including cybersecurity audits and insurance against data breaches. They should also make sure that vendors regularly reevaluate how they approach and defend against security threats.
- Develop cybersecurity policies. Companies should create and document policies that address threats from both internal sources (such as disgruntled employees) and external ones (including service providers). Many large organizations already have such policies in place and conduct ongoing training for their employees. Existing policies should be reviewed to make sure they address the DOL guidelines.
- Gather relevant information at least annually. Create a document that outlines how the company approaches compliance with DOL guidelines, including the results of its risk analysis and any actions it takes to address security shortcomings.
The new guidelines are designed to expand existing ESBA regulations concerning electronic record storage and disclosure deliveries to address additional cybersecurity concerns. While some of the new guidelines ESBA are specific to plan sponsors, fiduciaries, and recordkeepers, many reflect best practices already being followed by corporations to help keep their systems, data, employees, and customers safe from accidental or intentional breaches. The EBSA suggestions also follow similar guidance, such as the National Institute of Standards and Technology’s Cybersecurity Framework.
With the DOL preparing to begin cybersecurity reviews of plan sponsors, sponsors of ERISA plans should not delay addressing compliance with the new federal guidelines.
Checklist: Cyber Security Due Diligence Assessment
As a plan fiduciary, you need to establish a prudent process to understand the cyber security standards and practices of your service providers. Download this questionnaire to help you fulfill your due diligence requirements to document such practices!