DOL Cyber Safety Information: Managing Dangers for Employer Funded Retirement Plans | Fisher Phillips
The Government Accountability Office recently requested the US Department of Labor to issue guidelines on cybersecurity issues to mitigate the risks to 401 (k) and other retirement plans. GAO found that there were trillions of dollars in employer-funded defined contribution plans and that the DOL had not clarified whether the plan’s trustees are responsible for cybersecurity issues. On April 14, the DOL confirmed that employee benefit plan trustees are required to manage cybersecurity risks for their employer-funded plans.
In issuing these guidelines, DOL recognized that plan trustees have a duty to mitigate cybersecurity risks. Without adequate protection, the estimated 34 million defined benefit plan participants in private retirement plans and 106 million defined contribution plan participants worth $ 9.3 trillion could be at risk from cybersecurity threats. Accordingly, ERISA requires plan trustees to take appropriate precautions to mitigate the risk. The DOL Cybersecurity Guide has been published in three parts:
- Tips for hiring a service provider with strong cybersecurity practices who can provide guidance on planning trustees in hiring service providers;
- Cybersecurity program best practices, which provides best practices for log keepers and other service providers; and
- Online safety tips that provides planning advice for attendees and beneficiaries checking and managing their accounts online.
These guidelines have been published in the form of “Tips” with some recommended “Best Practices” that should primarily be considered by plan trustees rather than defining required steps or actions to be taken by plan trustees. However, the tips for hiring a service provider and best practices for the cybersecurity program are so detailed that it would not be surprising if the DOL viewed these steps as the minimum expectations for plan trustees to meet their cybersecurity risk management obligations.
It’s worth noting that GAO has urged DOL to publish guidance on retirement plans and cybersecurity considerations, given the trillions of assets held in such plans. The DOL guidelines are similarly geared towards retirement plans, particularly the Tips for Hiring a Service Provider document, although they are aimed at plan sponsors and trustees governed by the Employee Retirement Income Security Act (ERISA). While these guidelines do not specifically address employer-funded plans that are not regulated by ERISA, plan trustees should consider tips and best practices for other plans, as applicable. This is especially true for other plans regulated by ERISA, such as health and social plans, as the same fiduciary duties as for retirement plans would apply to health and social plans.
Tips for hiring a service provider
Retirement plan sponsors are no strangers to using service providers to work with their retirement plans and accordingly are familiar with the requirement to maintain a prudent process for the selection and monitoring of such service providers. These guidelines now feed cybersecurity considerations into the issues to consider when choosing service providers.
The DOL offers suggestions for questions to potential service providers in order to assess the cybersecurity practices of that service provider. This includes asking the service provider about their information security standards, auditing policies and results, how they validate their practices, what security standards they have met and implemented, and what security breaches they have committed in the past. The answers should be compared to other potential service providers, industry standards, and the service providers’ track record.
Aside from questions, the DOL guide recommends paying careful attention to the service contract. According to these DOL instructions, the service contracts should, among other things:
- Ask the service provider to get third-party audits every year;
- Identify how quickly a service provider needs to notify plan trustees of violations; and
- Identify the service provider’s obligation to comply with any applicable federal, state, and local laws regarding privacy, confidentiality, or security, or attendees’ personal information.
Cybersecurity Program Best Practices
DOL has identified a 12-point system of best practice that is used by plan-related IT systems record keepers and plan trustees to make prudent decisions about cybersecurity measures. In summary, the 12 points identified by the DOL are:
- Have a formal, well-documented cybersecurity program in place. This includes a system for identifying risks, protecting assets, data and systems, detecting and responding to cybersecurity incidents, recovering from the incident, disclosing (if necessary) and restoring normal operations and services. This program should be approved by senior management, internally reviewed at least annually, and reviewed by an independent external auditor to assess compliance and threats.
- Establish a prudent annual risk assessment program. A manageable, effective risk assessment plan should be established to identify and assess cybersecurity risks and describe how the program will mitigate identified risks. This program should be updated to reflect changes in information systems, service providers, or other changes in business operations.
- Conduct an annual third party security check review. In addition to the internal measures adopted, an independent external auditor should evaluate the security controls annually. If weaknesses are found in the auditor’s report, the plan trustee should also document the elimination of the weaknesses found.
- Clearly define and assign information security roles and responsibilities. Regarding the first and second points, a prudent cybersecurity risk management system should clearly determine who is responsible for each aspect of the program. Specifically, the DOL stipulates that a cybersecurity program must be administered at the executive level and then executed by qualified personnel. The Chief Information Security Officer (CISO) would generally be an appropriate person to set up and maintain the program.
- Have strong access control procedures. A strong process should be put in place to ensure that users are who they claim to be and that only authorized users have access to IT systems and data. This would require a suitable authentication and authorization system.
- Assess third-party use of cloud computing. The security programs and features of the cloud service provider should be evaluated as part of the decision to work with such a service provider. This includes requesting a third-party risk assessment, regular assessment of the service provider, and ensuring that the guidelines of a security program are followed. The tips for hiring a service provider discussed above apply to cloud service providers.
- Conduct annual cybersecurity training. A strong process should address risks at every level, including the employee level. Accordingly, the DOL proposes that an annual cybersecurity awareness be carried out in order to train everyone to recognize attacks, prevent incidents and protect against identity theft.
- Implement a safe system development lifecycle (SDLC) program. A secure SDLC program ensures that security measures such as code review are an integral part of the system development process.
- Implement a business resilience program to ensure business continuity, disaster recovery, and incident response. Business resilience is the ability to adapt quickly to disruptions while maintaining business continuity and protecting people, assets and data. The DOL suggests creating a business continuity plan, a disaster recovery plan and an incident response plan.
- Encrypt sensitive data. A cybersecurity system should implement current, prudent standards for encrypting stored and transmitted data.
- Implement strong technical controls to implement best security practices. Technical security controls should be implemented that keep hardware, software and firmware up-to-date, perform routine data backups and ensure routine patch management.
- Respond to cybersecurity incidents or breaches. Ensure that appropriate measures are in place to protect the plan and plan participants in the event of a cybersecurity incident or breach. Such actions may include notifying law enforcement agencies, notifying insurers, investigating the incident, and correcting the problem or vulnerability that caused the breach.
Online safety tips
The final component of the DOL Guide focuses on steps and actions plan participants and beneficiaries can take to mitigate potential cybersecurity risks on their part. These tips include regularly monitoring their accounts, using strong passwords with multi-factor authentication, updating personal contact information, and signing up for notifications of account activity. As part of this advice, the DOL also provides individuals with some general considerations of best practice when accessing accounts or having an online presence in general, such as Software Up to Date.
Getting ahead with the DOL guide
Cybersecurity is a growing concern across the board as processes and platforms increasingly move to remote or electronic providers. Given this landscape of electronic services and the latest DOL guidance, plan trustees should review and analyze the processes currently in place to manage cybersecurity risks.
Plan trustees should also review their current service provider contracts and recruitment procedures, especially for any contracts pending renewal or termination. The DOL guidelines need to be weighed against the current practice of plan sponsors and plan trustees, and if there are gaps, some additional steps may be required to ensure that plan trustees can meet all of their commitments regarding cybersecurity concerns.