DOL lastly points cybersecurity pointers for retirement plans Murtha Cullina
On April 14, 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) first issued guidelines for plan sponsors, plan trustees, note takers, and plan participants on best practices for maintaining cybersecurity to protect retirement benefits of American workers under ERISA-sponsored, employer-sponsored private-sector pension plans.
background. The Employee Retirement Income Security Act of 1974 (ERISA) set minimum standards and requirements to protect plan participants and beneficiaries in employer-sponsored private sector retirement plans. However, since ERISA went into effect, plan sponsors and their service providers have increasingly relied on the internet and IT systems to perform the tasks required to manage these retirement plans. In addition, plan sponsors often outsource the management of retirement plans, including records and other services, to third party providers, increasing the potential opportunities for cyber thieves and other bad actors to gain unauthorized access to subscriber accounts and personal information (PII) and Plan asset data. Protecting plan assets and participants’ personal data from cyberattacks is a priority for those involved in ensuring retirement benefits. (PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, or social security number, as well as other types of personal information that can be linked to an individual, such as educational -, financial and employment information.)
Much is at stake here. This country’s employer-sponsored private sector retirement plans have combined assets of $ trillion for the benefit of millions of subscribers, and the cybersecurity risks to those plans’ assets and personal information are very real and growing. According to estimates by the EBSA, in 2018 there were 106 million 401 (k) and other defined contribution plan participants and 34 million defined benefit plan participants in private plans with a combined estimated net worth of $ 9.3 trillion. In many cases, these funds are a participant’s only savings for retirement, underscoring the importance of protecting these assets from cyberattacks.
DOL’s first guide to cybersecurity. The first publicly available DOL guidelines on cybersecurity for retirement plans were published on April 14, 2021 on the DOL website and are available at https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits / Onlinesicherheit .
According to the attached DOL press release (available at https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414), DOL’s cybersecurity guidelines are intended to complement existing DOL regulations on electronic records and disclosures for plan participants and beneficiaries, including provisions to ensure that electronic records systems have adequate controls and procedures in place to manage records and that electronic disclosure systems include measures to protect participants’ personal data.
DOL’s cybersecurity policies take the following three forms:
Focus on the three parts of the DOL Cybersecurity Guide. The three guidelines on DOL cybersecurity contain numerous “tips” and “best practices”, which are summarized below:
- Tips for hiring a service provider with strong cybersecurity practices. This guide provides six “tips” to help sponsors and trustees fulfill their responsibilities under ERISA to carefully select and monitor pension providers to ensure that they employ service providers that adhere to strict cybersecurity practices:
- Ask about the service provider’s information security standards, practices, and policies, as well as the audit results, compare them to industry standards adopted by other financial institutions, and look for service providers that follow a recognized information security standard and use an outside (third-party) auditor to review and validate cybersecurity;
- Ask the service provider how they validate their practices and what security standards they have met and implemented, and look for contractual provisions that give the plan sponsor or trustee the right to review the audit results to demonstrate compliance with the standard.
- Assess the service provider’s track record in the industry, including public information on information security incidents, other litigation, and legal proceedings related to the provider’s services;
- Ask if the service provider has a history of security breaches, what happened, and how the service provider responded.
- Find out if the service provider has insurance policies that cover losses caused by cybersecurity and identify theft breaches (including breaches of internal threats such as misconduct by the service provider’s employees or contractors, and breaches of external threats, such as a third party hijacking a plan participant’s account); and finally,
- For contracts with a service provider, ensure that the contract requires continued compliance with cybersecurity and information security standards (and look for contract terms that limit the service provider’s responsibility for IT security breaches), and also try to include terms in the contract that would include enhancing cybersecurity protection for the plan and its participants.
- Cyber security program best practices. The second part of the DOL guidelines contains the following twelve “best practices” for the retention of pension plans and other plan service providers who are responsible for plan-related IT systems and data, as well as for plan trustees who make prudent decisions about the service providers meet you should hire (the list below is just a summary, see https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best- practices.pdf). The guidelines state that plan service providers:
- Have a formal, well-documented cybersecurity program;
- Conduct prudent annual risk assessments.
- Conduct a reliable annual third party security check review.
- Clearly define and assign roles and responsibilities for information security;
- Have strong access control procedures;
- Ensure that any asset or data stored in a cloud or managed by a third party has undergone appropriate security audits and independent security assessments.
- Conducting regular cybersecurity awareness training;
- Implementation and administration of an SDLC (Secure System Development Life Cycle) program;
- Have an effective business resilience program that addresses business continuity, disaster recovery, and incident response;
- Encrypt sensitive data that is stored and on the go.
- Implementation of rigorous technical controls in accordance with best security practices; and finally
- Respond appropriately to previous cybersecurity incidents.
- Register, set up and monitor your online account regularly.
- Use strong and unique passwords.
- Use multi-factor authentication.
- Keep your personal contact information up to date.
- Close or delete unused accounts;
- Be careful with free wifi.
- Beware of phishing attacks;
- Use antivirus software and keep apps and software updated. And ultimately
- Know how to report theft and cybersecurity incidents.
DOL’s Cybersecurity Guidance is long overdue. It has taken a long time for DOL to issue cybersecurity guidelines for ERISA-themed pension plans. In 2011 and again in 2016, the Employee Benefits and Pension Plans Advisory Board (ERISA Advisory Board) released two reports to DOL that focused on privacy and cybersecurity issues affecting employee benefit plans, but the DOL responded not on either report. The EBSA recently announced to the US Government Accountability Office (GAO), the “watchdog” of Congress, that it had made the two ERISA Advisory Board reports publicly available on the EBSA website, but had taken no action on them took or planned the reports. Recommendations.
In February 2021, GAO itself published a motion to Congressional proposers, Defined Contribution Plans: Federal Guidelines Could Help Reduce Cybersecurity Risks in 401 (k), and Other Retirement Plans (available at https://www.gao.gov / products / gao) -21-25), which, after finding significant measures to mitigate cybersecurity risk by both the private sector and certain U.S. federal agencies (other than the DOL), recommended that the DOL:
- Formally state whether cybersecurity for employer-sponsored defined contribution plans is a fiduciary plan responsibility under ERISA; and
- Develop and publish guidelines setting out minimum expectations for mitigation of cybersecurity risks, outlining the specific requirements to be met by all entities involved in the management of private sector employer-funded defined contribution pension plans.
DOL’s April 14, 2021 cybersecurity guidelines appear to be at least a first step in following GAO recommendations. However, it remains to be seen whether following DOL guidelines would be an effective defense for plan sponsors, plan trustees, and plan service providers who are being sued by plan participants who donate their nest egg for the retirement plan to cyber thieves or other bad actors have lost. Perhaps, over time, the DOL will offer additional guidelines that are meatier than “Tips” and “Best Practices”, setting clear standards and requirements that Plan Sponsors, Plan Trustees, and third party vendors must meet in order to manage their respective ERISA obligations. Duties to fulfill participants and beneficiaries to plan.