On April 14, 2021, the Department of Labor (“DOL”) issued guidance that has been eagerly anticipated by employers, their plans’ advisors, and other plan service providers. Part of the guidance addresses cybersecurity practices and procedures specifically for defined contribution plans (e.g., 401(k) and 403(b) plans), but its principles should apply to all ERISA plans.
As background, this guidance stems from many cybercriminals’ recent focus on the large amount of assets in these plans. That focus, and the resulting theft of participants’ plan accounts in several cases, led to a February 11, 2021 report from the Government Accountability Office (“GAO”). In that report, the GAO stated that it “is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC plans and to establish minimum expectations for addressing cybersecurity risks in DC plans.” In response, the April 14, 2021 guidance is the DOL’s first guidance that directly addresses cybersecurity in ERISA plans.
The DOL provided this new guidance in the form of three “tips” and “best practices” pieces, which I discuss below. Importantly, on a broad level, the DOL’s position is that ERISA plan fiduciaries must mitigate cybersecurity risks in their plans.
First, the DOL published “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.” This is intended to help plan sponsors and fiduciaries prudently select a service provider and monitor the provider’s activities. The DOL advises plan sponsors and fiduciaries to:
- Ask about the service provider’s information security standards, practices, policies, and audit results, and compare them to industry standards adopted by other financial institutions.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
- Evaluate the service provider’s track record in the industry (e.g., public information regarding information security incidents).
- Ask whether the service provider has experienced security breaches. If so, ask what happened and how the service provider responded.
- Ascertain whether the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
- Ensure that the service provider’s contract requires ongoing compliance with cybersecurity and information security standards.
Second, the DOL published “Cybersecurity Program Best Practices” to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. According to this guidance, plans’ service providers should:
- Have a formal, well documented cybersecurity program. A prudently designed program protects information in the provider’s systems from unauthorized access, by enabling the provider to protect assets, data, and systems and to detect and respond to cybersecurity events.
- Conduct prudent annual risk assessments, which should involve several steps (e.g., describe how the cybersecurity program will mitigate identified risks, facilitate the revision of controls resulting from changes in technology and emerging threats).
- Have a reliable annual third party audit of security controls. When the DOL reviews a plan in this regard, the DOL will expect to see audit reports and supporting documents, as well as documented corrections of any weaknesses identified in the independent third party’s analyses.
- Clearly define and assign information security roles and responsibilities. For a cybersecurity program to be effective, it must be managed at the “senior executive level,” such as by the Chief Information Security Officer.
- Have strong access control procedures. Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to IT systems and data. Strong procedures in this regard include limiting access privileges based on the role of the relevant individuals and using multi-factor authentication wherever possible.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training, at least annually.
- Implement and manage a secure system development life cycle program. Best practices here include protections such as configuring system alerts to trigger when an individual’s account information has been changed, and requiring additional validation if personal information has been changed prior to a request for a distribution from the plan account.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, whether it is stored or in transit.
- Implement strong technical controls in accordance with best security practices. This involves keeping hardware and software versions current and routinely backing up data (preferably via an automated system).
- Appropriately respond to any cybersecurity incidents (e.g., notify law enforcement personnel, provide affected plans and participants with information necessary to prevent/reduce the financial harm).
Third, the DOL published “Online Security Tips.” This guidance, which is directed at plan participants and beneficiaries who check their retirement plan accounts online, provides basic rules to reduce their risk of fraud and loss. The DOL suggests that those individuals take the following steps:
- Register, set up, and routinely monitor their online account.
- Use strong and unique passwords.
- Use multi-factor authentication. This requires a second credential to verify the participant’s or beneficiary’s identity, such as by requiring them to enter a code sent in real-time by text message or email.
- Keep personal contact information current.
- Close or delete unused accounts.
- Be wary of using free WI-FI, which might pose security risks that give cybercriminals access to the participant’s or beneficiary’s personal information.
- Beware of phishing attacks.
- Use antivirus software and keep apps and software current.
- Know how to report cybersecurity incidents. In this regard, the guidance includes links to FBI and Department of Homeland Security web pages.
It is highly likely that cybercriminals will continue to target assets in ERISA plans and that lawsuits in this area will continue to be filed. Those lawsuits, like certain lawsuits filed in the past couple of years, will involve plan participants suing the plan sponsor and the plan’s service provider(s) after cybercriminals steal participants’ plan assets. Plaintiffs’ attorneys might argue that this DOL guidance constitutes a proper standard for determining whether plan fiduciaries acted prudently with respect to the plan’s and service providers’ cybersecurity processes and protections.
Plan sponsors should review this guidance carefully, discuss it with their IT personnel, and have their ERISA attorney review their plan’s service provider contracts to determine the extent to which their contracts should be updated to reflect this new DOL guidance. Plan sponsors should also consider communicating the “Online Security Tips” guidance to plan participants (and to beneficiaries of deceased participants), and using that guidance in future educational campaigns.