The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) recently announced its first cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of 1974 (ERISA). The cybersecurity guidance is divided into three parts: Tips for Hiring a Service Provider With Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips. The guidance contains numerous recommendations for plan sponsors and other plan fiduciaries, recordkeepers, participants, and beneficiaries of ERISA retirement plans.
Plan fiduciaries in particular should review the guidance and consider using it to assess and mature their cybersecurity programs and to evaluate the programs of their service providers. The guidance may also help plan fiduciaries lay the groundwork to defend against possible future claims brought under ERISA or data breach laws in the event of a service provider data breach.
As the DOL notes, ERISA-regulated retirement funds have millions of participants and hold assets of approximately $9.3 trillion. Retirement plans maintain significant amounts of detailed personal and financial data. Consequently, the companies and people who sponsor, service, and benefit from these plans are prime targets for attackers.
According to the DOL, its guidance is intended to complement the existing EBSA regulations on the electronic storage of records and the electronic delivery of disclosures to plan participants and beneficiaries. Those regulations include requirements that electronic recordkeeping systems have reasonable controls and adequate record management practices in place, and that electronic disclosure systems include measures to protect personally identifiable information.
Tips for Hiring a Service Provider With Strong Cybersecurity Practices
The first part of the DOL guidance is directed to plan sponsors and other plan fiduciaries and addresses how to evaluate a service provider's cybersecurity practices as part of the fiduciary duty to prudently select and monitor a plan's service providers. The guidance recommends that plan fiduciaries conduct due diligence by carefully reviewing and comparing the service provider's information security standards and practices to recognized industry standards and frameworks.
Plan fiduciaries should consider how a service provider evaluates its cybersecurity practices, including whether it uses a third-party auditor to review its security practices on an annual basis. It also recommends plan fiduciaries to evaluate a service provider's cybersecurity track record, including information about past security breaches and other legal proceedings in which the service provider is involved, and inquire about the service provider's cybersecurity insurance.
Additionally, the DOL advises that a plan fiduciary include various cybersecurity-related contract provisions in its agreement with service providers. These may include terms that require:
- A right to review cybersecurity audit results;
- The service provider to carry insurance covering losses caused by security breaches—including not only those caused by external threats but also those caused by the misconduct on the part of the service provider, its employees, or its contractors;
- Ongoing compliance with cybersecurity standards;
- Clear limitations on the use and sharing of private information;
- Prompt notification and cooperation in the event of a data breach; and
- Compliance with federal and state record retention and deletion policy.
The DOL also warns plan fiduciaries to avoid contract provisions that limit a service provider's responsibility for IT security breaches.
Cybersecurity Program Best Practices
The second part of the DOL guidance provides a series of best practices for cybersecurity programs. This part is directed to recordkeepers and other service providers responsible for managing cybersecurity risks and to plan fiduciaries deciding which service providers to hire. Under the guidance, service providers should have in place a formal, well-documented cybersecurity program that protects IT infrastructure, information systems, and data from both internal and external threats.
The program should address all key areas of the cybersecurity lifecycle with processes and controls to: identify risks; protect assets, systems, and data; detect, respond to, and recover from cybersecurity events; and disclose events where appropriate. Service providers' cybersecurity programs also should be subject to review by a third-party auditor and to annual risk assessments.
For a cybersecurity program to be effective, it must be managed and approved by senior leadership, such as a chief information security officer (CISO). Additionally, the DOL recommends that any asset or data stored in a cloud-based service or managed by a third-party service provider be subject to appropriate security reviews and independent security assessments.
The guidance also includes various recommendations for a cybersecurity program's access control procedures, periodic cyber awareness training, secure system development lifecycle program, business resiliency program, encryption of sensitive data while stored and in transit, technical controls in accordance with best security practices, and appropriate responses to any past cybersecurity incidents.
Online Security Tips
The final part of the guidance offers plan participants and beneficiaries, who often check and manage their retirement accounts online, some basic tips to reduce the risk of fraud and loss, such as:
- 1. Register, set up, and routinely monitor your online account;
- 2. Use strong and unique passwords;
- 3. Use multi-factor authentication;
- 4. Keep personal contact information current;
- 5. Close or delete unused accounts;
- 6. Be wary of free Wi-Fi;
- 7. Beware of phishing attacks;
- 8. Use antivirus software and keep apps and software current; and
- 9. Know how to report identity theft and cybersecurity incidents.
An Open Question: Is Cybersecurity a Plan Fiduciary Responsibility?
The DOL's cybersecurity guidance has been a long time coming. The ERISA Advisory Council released reports in 2011 and 2016 identifying privacy and cybersecurity risks to employee benefit plans, but the DOL had not previously issued any guidance on how to address those risks or to what extent doing so was mandatory.
In February 2021, the U.S. Government Accountability Office (GAO) noted this lack of guidance and recommended that the DOL:
- 1. Formally state whether cybersecurity for ERISA-covered plans is a plan fiduciary responsibility; and
- 2. Develop guidance that 'identifies minimum expectations' for addressing cybersecurity risks in ERISA-covered plans.
The DOL guidance here addresses the second GAO recommendation but not the first. Although the guidance, taken as a whole, expresses the DOL's view that plan fiduciaries must act prudently in the interest of plan participants and beneficiaries by taking appropriate precautions to mitigate cybersecurity risks, it does not affirmatively state whether failure to address cybersecurity risks, standing alone, is a breach of fiduciary duty. As noted, the guidance does state that a plan fiduciary must assess service providers' cybersecurity programs as part of the established fiduciary duty to select and monitor service providers.
The question of whether cybersecurity is a fiduciary responsibility is a critical one, as a breach of fiduciary duty under ERISA can have significant consequences including personal liability to make the plan whole for any losses resulting from the breach.1 The DOL's decision not to address this question will come as a disappointment to those looking for more certainty in an unsettled area of law. The 7th Circuit's decision in Divane v. Northwestern University holding that participants' personally identifiable information does not constitute a 'plan asset' may foreclose a claim that a compromise of such data gives rise to a breach of fiduciary duty claim.2
Yet, the Eastern District of California previously ruled in Rose v. HealthComp, Inc., that improper disclosure of a participants' personal data could be grounds for a breach of fiduciary duty claim.3 Plaintiffs would seem to be on a stronger ground when a cybersecurity breach results in an actual loss of participants' funds held by the plan. For example, the Eastern District of Pennsylvania held in Leventhal v. MandMarblestone Group, LLC, that a breach of fiduciary duty claim was sufficiently pled where a party's own failure to secure its systems allegedly resulted in a fraudulent withdrawal of funds.4
Fortunately for plan fiduciaries, the fact that a cyberattack has occurred does not necessarily mean that the fiduciary has breached its duties, even if the attack results in loss of plan funds. ERISA requires that fiduciaries act with reasonable 'care, skill, prudence and diligence,' meaning that a fiduciary can defend a claim by showing that it had reasonable and appropriate cybersecurity controls in place to prevent a compromise. Here, the DOL guidance can play an important role, helping fiduciaries to identify the controls it should prioritize.
Cyber Diligence: Leveraging Third-Party Certifications and Assessments
The substance of DOL's recommendations is not surprising. The guidance generally tracks the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and other common frameworks and best practices. Even so, plan fiduciaries and service providers should carefully review their existing programs and agreements against the DOL guidance as the guidance may make its way into ERISA lawsuits and enforcement actions.
Companies should be prepared to explain how their existing programs address each applicable provision of the guidance and plan to remediate any gaps. Compliance with the DOL guidance also will help plan fiduciaries and service providers lay the foundation for an effective defense against post-data breach claims that they failed to adopt reasonable security controls, such as might be made under the California Consumer Privacy Act (CCPA) and other laws.
Many plan fiduciaries might struggle to assess the quality of their service providers' cybersecurity programs and practices. This could be because of a lack of technical expertise, resource constraints, or various other factors.
Maybe in recognition of these limitations, the DOL guidance emphasizes various ways plan fiduciaries can leverage third-party assessments and generally accepted frameworks as part of their due diligence. Following the guidance, plan fiduciaries should consider requiring their vendors (at least those likely to handle sensitive plan data) to maintain recognized third-party certifications, such as the ISO/IEC 27001 or AICPA SOC 2, or to submit themselves to other comprehensive third-party assessments.
Although certifications and assessments can be effective tools for evaluating the general quality and maturity of a service provider's cybersecurity program, they are not a complete solution to proper vendor management. For example, a service provider may obtain a certification confirming (among other things) that it has processes and technologies to encrypt data at rest, but that certification does not necessarily assure a plan fiduciary that encryption is being used for the specific plan data the service provider receives from the fiduciary.
Good vendor management means that plan fiduciaries still must pay close attention to the specifics of their service provider relationships and determine whether appropriate security controls are in place.
Whether cybersecurity risk management is a fiduciary duty under ERISA remains an open question. Even so, the DOL guidance may be useful for helping plan fiduciaries improve their cybersecurity programs, evaluate service providers, and lay the groundwork to defend against claims brought under ERISA or data breach laws. DWT will continue to provide updates as the DOL offers additional guidance on ERISA cybersecurity standards and requirements.
1 26 U.S.C. § 409(i).
2 Divane v. Northwestern Univ., 953 F.3d 980 (7th Cir. 2020).
3 Rose v. HealthComp, Inc., No. 1:15-cv-00619-SAB, 2015 WL 4730173 (E.D. Cal. Aug. 10, 2015).
4 Leventhal v. MandMarblestone Grp., LLC, No. CV 18-2727, 2020 WL 1953247 (E.D. Pa. Nov. 24, 2020); see also Bartnett v. Abbott Lab'ys, No. 1:20-cv-02127 2021 WL 428820 (N.D. Ill. Feb. 8, 2021). Although the Plaintiff's claims were dismissed in Bartnett due to pleading defects, the suit eventually led to a DOL investigation of Alight Solutions' cybersecurity practices; the DOL concluded that the company had processed unauthorized distributions resulting from a cybersecurity breach. See id. at *5 (noting that the investigation opened on July 30, 2019).