DOL Guidance on Cybersecurity: A Cautionary Note for Plan Sponsors

Troutman Pepper

Troutman Pepper

[co-author: Marcelo Roman]

Have you asked yourself recently: "Are my ERISA plan's assets and participant data protected from cyberattacks?" If not, you should. The Department of Labor's (DOL) release of cybersecurity best practices for plans covered by the Employee Retirement Income Security Act (ERISA) makes it clear that plan sponsors, service providers, and participants share responsibility for protecting plan accounts. The guidance, which includes tips for hiring service providers, cybersecurity program best practices, and online security tips, provides a best practices roadmap for you to follow. We have synthesized the DOL's guidance into action items for plan sponsors. The adoption and implementation of ERISA cybersecurity policies and procedures will be your best defense against fiduciary litigation and DOL investigations, which are certain to arise in the wake of the DOL's guidance.

1. Hiring a Service Provider

When selecting and using third-party providers, you should conduct due diligence to identify service providers with strong established cybersecurity practices. The DOL recommends that plan sponsors inquire about a service provider's cybersecurity standards, policies, and practices, which also should include regular audits by an outside auditor. For example, you could ask: "What are the service provider's levels of security, and do they have insurance to cover potential losses resulting from a cyberattack?" You should research public information, such as past and ongoing litigation, security incidents, and other legal proceedings, to get an understanding of the service provider's track record. Make certain the service provider appropriately addresses your concerns. Lastly, contract with caution. Look out for contract provisions that limit the liability of the service provider, while simultaneously trying to include provisions that provide you with greater protection. For example:

  • require a risk assessment by an independent auditor,

  • address minimum cybersecurity practices, such as:

    • multifactor authentication,

    • encryption policies and procedures,

    • regular vulnerability scans and annual penetration tests, and

    • notification protocol for a cybersecurity event, which directly impacts customer information system(s) or nonpublic information.

2. Cybersecurity Program Best Practices

As a plan fiduciary, you have an obligation to mitigate cybersecurity risks. As mentioned above, when hiring a service provider, you should make certain the provider has adopted a strong cybersecurity program. A strong program identifies and assesses internal and external cybersecurity risks that aim to breach the confidentiality, integrity, or availability of stored nonpublic information. Components of an effective policy include:

  • oversight by the chief information security officer,

  • periodic policy updates,

  • annual cybersecurity awareness training,

  • written documentation of the particular framework(s) used to assess the security of systems and practices,

  • prudent annual risk assessment,

  • procedures to control access to IT systems and data, and

  • annual third-party audits.

Service providers are expected to act upon the results of the third-party audits and proactively document the steps taken to correct the reported risks, vulnerabilities, and weaknesses.

3. Online Security Tips

Retirement plan participants and beneficiaries share accountability for maintaining the security of their retirement account information. Plan participants and beneficiaries who check their retirement accounts online should be educated on how they can reduce the risk of fraud and loss. In its guidance, the DOL provides the following tips:

  • register, set up, and routinely monitor your online account,

  • use strong and unique passwords,

  • use multifactor authentication,

  • keep personal contact information current,

  • close or delete unused accounts,

  • be wary of free Wi-Fi,

  • beware of phishing attacks,

  • use antivirus software and keep apps and software current, and

  • know how to report identity theft and cybersecurity incidents.

We suggest that plan sponsors, service providers, and participants rely on the DOL's guidance to establish a minimum threshold for cybersecurity compliance. Plan sponsors should establish consistent guidelines for vetting third-party providers and, as with any fiduciary decision, should carefully document the decision-making process. Further, plan sponsors should not limit compliance with these cybersecurity practices to ERISA-covered retirement plans; as a best practice, all ERISA-covered plans for which the plan sponsor has a fiduciary duty should fall under the policy's umbrella. We anticipate the plan sponsor's cybersecurity policy will become as integral to qualified retirement plans as are investment policy statements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.