Cybersecurity Coverage Compliance Suggestions for DOL’s Retirement Plan
“When, not if” is a phrase often used to describe the risk of a data breach. Close to $ 11 trillion in employer-sponsored retirement plans are a particularly tempting target for cyber criminals. Through audits and best practice guidelines, the Department of Labor (DOL) encourages retirement plan sponsors to be vigilant about managing cybersecurity risk.
Given that companies often outsource the management of retirement plans, DOL recently released cybersecurity guidelines for plan sponsors, including tips on hiring a service provider with strong cybersecurity practices. In the following we provide a context for typical violations of the pension plan and offer additional insights into the best practice guidelines of the DOL.
Retirement data violations are unique
Although data breaches are viewed as complex operations carried out by coordinated hacking groups, retirement breaches are often more elemental. Individual “bad actors” with access to information on pension plans can easily find system or process vulnerabilities and exploit them to empty pension accounts.
The recent Barnett v Abbott Laboratories case is a case in point: Heide Bartnett’s retired Abbott Labs online 401 (k) account was found by a forgotten password scammer using Bartnett’s date of birth and the last four digits of her called social security number. The scammer posed as Bartnett and made multiple calls to the retirement plan administrator to get additional confidential information about the retiree from call center staff and eventually stole over $ 240,000 from their accounts.
Barnett sued her former employer, the retirement plan, and the third party provider for breach of fiduciary duty and other claims under Illinois law.
How can HR managers protect their retirement plan participants from a similar fate and protect their company from fiduciary claims? DOL’s cybersecurity guidelines provide a good place to start. The following tips, to be read in conjunction with the DOL guidelines, provide additional insights to help HR managers establish appropriate safeguards.
Use a contract extension
Contract terms should be reviewed upon renewal to ensure that a provider’s contractual obligations with regard to data security are clear and ongoing and are in line with DOL’s best practice guidelines, legal obligations and business requirements:
- Consider including a contractual right to review the vendor’s annual security test results, business continuity and document management plan, and records management guidelines.
- The exemption and limitation of liability clauses should be carefully examined to ensure that the risk is appropriately shared between the seller and the company.
Before signing a contract extension or extension, evaluate the history of the supplier relationship. Poor performance by the provider can indicate a data security risk:
- Did the vendor’s sales team promise too much and deliver too little?
- Are the service level below guarantees?
- Has a mitigation been identified that should be part of the agreement but that the seller does not want to put in writing?
- Is the provider not responding in a timely and accurate manner to inquiries about business problems and events?
These are all warning signs that the vendor may not be adequately scaled to handle a given project and that the vendor’s data security practices may be lacking.
Dig deeper into the exam results
The requirement that vendors provide the results of their latest information security audit results is a great entry point. Note the scope of the audit as soon as the results are available:
- A limited check of system access via Microsoft Active Directory, for example, does not reveal any security deficiencies in the call center.
- A review of call center security procedures may ignore security flaws in the provider’s enterprise cloud architecture.
Understanding where subscriber data is stored, what systems it is transferred to, if the company responds to it, whether it is encrypted as it is stored and when it is transferred, when and how it is accessed, and by whom is critical to understanding if the test results are reliable.
In addition to the scope, note the date and frequency of the vendor’s review process. It is recommended that audits be carried out at least once a year and as part of the remediation process after a violation.
Technological and regulatory requirements related to cybersecurity are evolving rapidly. Regular audits ensure that a provider is informed of evolving security controls and legal requirements.
During the COVID-19 pandemic, many employees started working from home. For retirement plan providers with remote workers, a post-pandemic cybersecurity audit should assess remote work controls, including system access points such as VPN security and other web access points.
More frequent security audits may be required for higher risk, critical functions, and highly sensitive data. Since attack methods and environmental changes develop quickly, annual audits can lag behind in assessing the actual security situation of a provider.
Consider whether more frequent security guarantees are required, such as: B. Monthly or quarterly confirmation that the risk assessments are still up-to-date and the information is still safe.
Use a Vendor Security Questionnaire
Having vendors completing a security questionnaire can be a powerful tool for assessing a vendor’s cybersecurity practices. A comprehensive questionnaire will:
- Determine areas of risk and identify whether a provider has implemented appropriate technical, process, and access controls to protect attendee information.
- Provide a window into a vendor’s systems architecture that will help you assess whether the scope of vendor reviews is appropriate and whether there are appropriate business continuity plans in place.
A security questionnaire can be an important tool in managing risk and ensuring that the provider is aware of the laws and regulations that govern confidential information about retirement plans. It may also contain specific contractual provisions necessary to ensure ongoing compliance with cybersecurity and information standards and practices.
Vendors should complete the security questionnaire annually before or when submitting their annual information security review results.
Document, document, document
If the inevitable happens – a breach of the provider data reveals the confidential data of the retirement plan participant – a review could follow. The process and documentation of a company’s supplier selection and management can be analyzed by the supervisory authorities or through civil litigation.
Pension plan sponsors are bound by fiduciary duties with respect to the selection of providers, including due diligence. Be sure to document the selection process, including the cybersecurity assessment and criteria, and ongoing efforts to monitor cybersecurity compliance for existing vendors.
Proof of compliance with the DOL’s best practice guidelines is an effective defense against claims to improper selection of providers.
Jessica Palvino, JD, LLM, is an employee benefits attorney with Mitchell, Williams, Selig, Gates & Woodyard, PLLC in Austin, Texas. Mandy Stanton, JD, CIPP / US, CIPP / E, is an information security and privacy attorney based in Mitchell Williams’ Little Rock, Ark. Office. Anton Janik, JD, LLM, CIPP / USA, CIPP / E is a tax and information security attorney at Little Rock.