The U.S. Department of Labor's Employee Benefits Security Administration (EBSA) on April 14 issued much-anticipated cybersecurity guidance for employee retirement plans. The essence of the guidance is that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
EBSA set out in the following materials on its website, although the "Online Security Tips" are directed more to plan participants than plan fiduciaries:
Acknowledging that employer-sponsored plans subject to the Employee Retirement Income Security Act (ERISA) hold "millions of dollars or more in assets and maintain personal data on participants," EBSA's guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of EBSA's best practices include:
- Maintain a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Implement a reliable annual third-party audit of security controls.
- Follow strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures.
It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the New York SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.
Selecting Service Providers
Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:
- Ask about the service provider's information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, "Trust, but verify." This also applies to all third-party plan providers, even large, well-known organizations.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider's response to the incident.
- Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider's own employees or contractors, or a third party hijacking a plan participant's account.
- Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.
It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider (here are some reasons why).
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA's guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors' trusted counsel and other advisors.
Joseph J. Lazzarotti is an attorney with Jackson Lewis in Morristown, N.J. Joy M. Napier-Joyce is a principal in the Baltimore, Md., office of Jackson Lewis and leads the firm's employee benefits practice group. This article was originally published, in a slightly longer form, on the firm's website. © 2021 Jackson Lewis P.C. All rights reserved. Reposted with permission.
Related SHRM Articles:
Pension Breach Blamed on Third-Party Service Provider, SHRM Online, February 2021
Shore Up Benefits Cybersecurity During Open Enrollment, SHRM Online, September 2020
Securing Retirement: 401(k) Plan Cybersecurity, SHRM Online, August 2019