DOL Publishes Cyber Safety Greatest Practices for ERISA-Funded Retirement Plans Jackson Lewis PC
Today the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) released highly anticipated cybersecurity guidelines for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Board, a 15-member body appointed by the Minister of Labor to provide guidance on employee benefit plans, shared some cybersecurity considerations with the Federal Ministry of Labor. The essence of today’s guide:
“Responsible Plan Trustees are required to ensure adequate cybersecurity risk mitigation.
What this commitment means at this point is at least what the EBSA has set out in the following materials on its website, although the “online safety tips” are aimed at Plan participants rather than Plan Trustees:
In recognition of the ERISA-covered plans, assets of “millions of dollars or more and participant personal information” will be retained. The EBSA guidelines list a number of best practices that can be used by plan recorders and service providers who are also responsible for plan-related IT systems and data as plan trustees who have a duty to evaluate and select Plan service providers to make prudent decisions. Some of the EBSA’s best practices include:
- Run a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third party security check audit.
- Follow strict access control procedures.
- Ensure that any asset or data stored in a cloud or managed by a third party has undergone appropriate security audits and independent security assessments.
- Conduct regular cybersecurity awareness training.
- Have an effective enterprise resilience program that addresses business continuity, disaster recovery, and incident response.
- Encrypt sensitive data that is stored and on the go.
The EBSA fleshed out each of these best practices to give records, service providers and plan trustees more guidance in developing their own policies and procedures. It’s worth noting that these best practices are not dissimilar to other known frameworks for protecting personal data. Organizations that have endeavored to comply with, for example, the HIPAA privacy and safety rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act have a head start on similar steps in relation to their retirement plans and / or their services to plans.
The selection of ERISA Plan Service Providers has long been an important fiduciary function for Plan Trustees. In its guidance, EBSA outlines key cybersecurity issues to consider when choosing service providers, including the following:
- Find out about the service provider’s information security standards, practices, and guidelines, as well as the audit results, and compare them to industry standards from other financial institutions. Plan sponsors can assume that a service provider referred by a trusted source with compelling marketing material would have taken reasonable cybersecurity safeguards in place. As the saying goes, “Trust, but check.” This also applies to all third party plan providers, including large, well-known organizations.
- Ask the service provider how they validate their practices and what security standards they have met and implemented. Look for contract terms that give you the right to review the exam results to demonstrate compliance with the standard.
- Ask if the service provider has a history of security breaches, what happened, and how the service provider responded. Since these incidents are reported frequently, you should review the news reports about the service provider’s response to the incident.
- Investigate whether the service provider may have cyber insurance to cover losses caused by cybersecurity violations and identity theft, including misconduct by the service provider’s own employees or contractors, or if a third party is hijacking a plan participant’s account.
- Consider the service provider’s willingness to include contractual terms that require ongoing cybersecurity compliance, clear rules for the use and disclosure of personal information, responsibility for security breaches, and other important provisions for compromising the plan, plan sponsor, and participants.
It is important to note that no security precautions prevent all data breaches and no careful examination leads to the selection of an error-free service provider. In many cases, a data breach by a planning service provider cannot mean that this provider can no longer be reached. Here are some reasons why.
Third-party plan service providers and plan trustees should take reasonable and prudent steps to implement safeguards that adequately protect the plan data. The EBSA guidelines should help those in charge get there, along with the plan’s trustees and the plan’s sponsors’ trusted advocate and other advisors.