EBSA tips for mitigating the cybersecurity threat of retirement plans
On April 14, 2021, the US Department of Labor’s Employee Benefits Security Administration (“EBSA”) released its first cybersecurity best practices for retirement plans. The guidance consists of three parts and emphasizes that plan sponsors and trustees must take steps to mitigate cybersecurity risks under the fiduciary obligations imposed on them by the Employee Retirement Income Security Act of 1974 (“ERISA”). To help plan sponsors and trustees with their responsibility for carefully selecting and monitoring service providers, the guidelines provide considerations to help them determine whether service providers are following strict cybersecurity practices. The EBSA regards these guidelines as a complement to its rules on electronic records and disclosures for plan participants and beneficiaries (i.e. that electronic records systems have adequate controls, that adequate record management procedures are in place, and that electronic disclosure systems follow identifiable personal protection measures Information).
The cybersecurity guidelines have long been anticipated by the benefit plan community due to numerous informal discussions and programs with EBSA representatives regarding cybersecurity for benefit plans. The ERISA Advisory Board reported on plan cybersecurity, security and protection measures taken by industrial service providers and surfaced on litigation. Both reported and unreported cybersecurity violations and the occurrence of fraudulent retirement benefit distributions have raised questions about the scope of ERISA’s fiduciary responsibility for the cybersecurity of plan participant information, plan asset data and accounts. Recently, the US Government Accountability Office (“GAO”), in its February 2021 report, urged DOL to issue cybersecurity guidelines and recommended that DOL officially state whether it is the responsibility of a trustee to allocate cybersecurity risks in defined contribution plans Mitigate and establish minimum cybersecurity risk management requirements in defined contribution plans. The DOL agreed to the second GAO recommendation, but did not state whether or not it accepted the first recommendation.
Given the advances in technology (including technological tools developed to support the management and delivery of employee benefits), the novel cybersecurity risks that these advances bring, and the trillions of dollars in employer-sponsored retirement assets alone, there is an ongoing one Development Care for both (i) the security of plan participant data, which is collected, transmitted, processed and stored for pension plans, and (ii) the security of the assets on participant accounts. The new guidelines are a step forward as they incorporate best practices and approaches to mitigate cybersecurity risks and further validate steps already taken by plan trustees and service providers.
The first guide issued by EBSA contains “Tips for Hiring a Service Provider with Strict Cybersecurity Practices”. An overarching lesson from these tips is that trustees should (i) be careful in selecting plan service providers, (ii) review the cybersecurity practices of service providers as they are selected, and (iii) develop ongoing monitoring practices. In these guidelines, the EBSA has set out due diligence considerations and provisions on service agreements to ensure “ongoing compliance with cybersecurity and information security standards” and to establish contractual terms for notifications of data protection violations. Comply with all applicable federal, state, and local laws, rules, regulations, guidelines, and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information; and insurance.
The second guide issued by the EBSA is “Cybersecurity Program Best Practices”.[r]Responsible Plan Trustees are required to ensure adequate cybersecurity risk mitigation. “This is the first formal statement from the EBSA that Plan Trustees have at least an obligation to ensure adequate cybersecurity risk mitigation. The guidelines are carefully worded but appear to imply an obligation on the plan’s trustees to conduct proper due diligence to confirm the service provider’s compliance with cautious cybersecurity practices and procedures to indicate that the plan’s information, data and accounts are Participants are present They are protected and appropriate controls in place on an ongoing basis, and responsible procedures are followed to respond to cybersecurity violations. Among other things, these guidelines state that planning service providers should have formal, well-documented cybersecurity programs in place. “Carry out prudent annual risk assessments”; Receive “reliable annual third party security control audits”; “Conduct regular cybersecurity awareness training”; and “Implement and maintain a Secure System Development Life Cycle (SDLC) program.” Plan sponsors and trustees should also determine how their service providers will be assessed against these best practices.
The EBSA’s third guide is aimed at retirement plan participants and contains “Online Safety Tips” that explain how participants can help reduce the risk of cybersecurity attacks and threats to their retirement accounts. Under these tips, EBSA recommends plan participants use strong passwords and multi-factor authentication, and learn about possible phishing attacks that could leave their retirement accounts exposed to cybersecurity violations. While aimed at plan participants, plan trustees should understand the tools, procedures, and potential training they can offer their plan participants to help mitigate cybersecurity risks.
Considerations and Next Steps for Retirement Plans
At this stage, the guidelines set out by the EBSA are an advancement in expressing their views on the respective responsibilities of plan sponsors, trustees, service providers and plan participants in relation to cybersecurity and retirement planning. The concept that plan sponsors and trustees have a responsibility to mitigate cybersecurity risk should serve as a call-to-action to review existing relationships with service providers and request the information necessary to assess the state of their cybersecurity practices and procedures for performance plans and these Kind of cybersecurity practices to include reviewing in the future with new and existing service providers. Litigation will no doubt develop in this area as the scope of plan fiduciary responsibility continues to develop. In this area too, new laws and regulations will emerge that need to be addressed.
To this end, as we have recommended, Plan Sponsors and Trustees should (i) establish strict procedures, protocols, guidelines and other safeguards to protect participants’ information and their retirement accounts, and (ii) a process for careful selection develop and monitor their plan service providers to ensure that they also maintain and follow strict cybersecurity and breach response procedures. When cybersecurity breaches occur, plan trustees should have a set response plan with their service providers so that they are better able to respond quickly and mitigate damage. In the event of a legal dispute, Plan Sponsors and Trustees will be better able to defend against potential fiduciary breach claims if they can demonstrate that they followed prudent policies and procedures to mitigate cybersecurity risks.
Many plan sponsors and trustees and plan service providers have already developed policies and procedures that are aware of the risks involved in managing their retirement plans. These policies and procedures, service agreements, general safeguards, protocols and procedures for responding to violations should be reviewed and updated or established if they are not already in place to reflect the desired aspects of EBSA’s cybersecurity best practice guidelines intended to protect of the plan, participants serve and stand up to scrutiny.
© 2021 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XI, Number 106