Ready or Not, Cybersecurity Guidance for Employee Benefit Plans is Here

The U.S. Department of Labor recently issued formal cybersecurity guidance for employee benefit plans.  The guidance applies to plan sponsors, plan fiduciaries, record keepers, and plan participants and includes various tips and best practices for protecting retirement plan assets.  The DOL’s guidance includes:

• Tips for Hiring a Service Provider, which helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices, as required under ERISA.

• Cybersecurity Program Best Practices, which outlines tips for implementing and maintaining a strong cybersecurity program that identifies and assesses internal and external cybersecurity risks that may threaten plan assets and benefits-related information.

• Online Security Tips, which offers participants and beneficiaries guidance for reducing the risk of fraud and loss on their benefit plan accounts.

Most importantly for plan sponsors and plan fiduciaries are the DOL’s Tips for Hiring a Service Provider and Cybersecurity Program Best Practices.  According to the DOL, plan service providers should:

1. Have a formal, well-documented cybersecurity program addressing access control, security and patch management, detection and prevention programs, and a practiced and proven incident response team and plan;
2. Conduct prudent annual risk assessments to identify vulnerabilities and potential exploits;
3. Have a reliable annual third party audit of security controls;
4. Clearly define and assign information security roles and responsibilities;
5. Have strong access control procedures including onboarding and offboarding procedures;
6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments;
7. Conduct periodic cybersecurity awareness training for employees and beneficiaries;
8. Implement and manage a secure system development life cycle (SDLC) program;
9. Have a well documented and effective business resiliency program addressing business continuity, disaster recovery, and incident response;
10. Encrypt sensitive data stored and in transit;
11. Implement strong technical controls in accordance with industry best security practices; and
12. Appropriately respond to any past cybersecurity incidents and implement changes to prevent similar attacks in the future.

The DOL includes detailed guidance related to each of the action items above.  Ultimately, the DOL’s “best practices” is similar (though not identical) to several widely recognized and approved cybersecurity frameworks such as NIST 800-53, NIST CSF, and NIST 800-171.

While these “tips” and “best practices” are not yet legally mandated for employee benefit plans, the DOL makes clear that “ERISA requires plan fiduciaries to take appropriate precautions to mitigate” the risk of internal and external cybersecurity threats.  Furthermore, the recent increase in litigation under ERISA involving cybersecurity highlights a plan fiduciary’s duty to act prudently to protect retirement plan assets.  In the event of a cyber-breach, the ability to prove adherence to a recognized cybersecurity framework may provide a defense to any ensuing claims. Finally, the DOL’s recent guidance may indicate the agency’s intention to pay closer attention to cybersecurity concerns in future plan audits.

Accordingly, it’s important that plan sponsors and plan fiduciaries analyze the cybersecurity practices of their employee benefit plans.  If not consistent with the DOL’s recent guidance, plan fiduciaries should begin taking prudent steps to implement the necessary safeguards to protect a plan’s assets and benefit data.  Plan sponsors and fiduciaries should also review their current and future administrative service agreements to confirm service providers have appropriate policies and practices in place.