DOL Releases Cybersecurity Best Practices Guidance for Protecting Retirement Benefits
Department Also Begins Plan Audits for Compliance
- New Guidance. The U.S. Department of Labor released cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers and plan participants, and has started incorporating cybersecurity components in its plan audits.
- Plans Must Comply. Plan sponsors, fiduciaries and service providers are responsible for maintaining adequate cybersecurity protections, and should perform annual self-assessments and third-party audits.
- Hiring Service Providers. If a plan sponsor opts to engage a third party for administrative or record-keeping services, the guidance outlines best practices for selecting a service provider with strong cybersecurity practices.
For the first time, the U.S. Department of Labor's (DOL) Employee Benefits Security Administration (EBSA) has released cybersecurity guidance aimed at protecting workers' retirement benefits. The guidance, which was released by EBSA on April 14, 2021, is directed at plan sponsors, plan fiduciaries, administrative record-keepers and plan participants. In total, the DOL released three separate documents for review and consideration, each covering a different topic at the intersection of cybersecurity and benefit plans.
Best Practices. The first document released by EBSA, titled Cybersecurity Program Best Practices espouses information technology security protocols for Employee Retirement Income Security Act (ERISA)-covered benefit plans. The memorandum outlines 12 points for cybersecurity risk mitigation, including conducting cybersecurity risk assessments on at least an annual basis, as well as conducting third-party audits of system security controls. In regards to conducting a third-party audit, EBSA indicated that if it were to review an audit program it would expect to see evidence of audit reports, penetration test reports and documented corrections of any identified weaknesses in addition to other documentation. The best practices memorandum also calls for a plan sponsor's cybersecurity program to be managed at the executive level, ideally by the Chief Information Security Officer (CISO), and that cybersecurity awareness training be conducted on at least an annual basis. To that end, EBSA urges plan sponsors to utilize a dynamic cybersecurity training protocol that is regularly updated based on risks identified through a plan's risk self-assessment process.
EBSA further instructs plan sponsors and fiduciaries to utilize a secure system development life cycle program (SDLC). A properly designed SDLC program ensures that new systems are designed with cybersecurity considerations playing a central role. For example, EBSA suggests two-factor authentication or other additional validation protocols are automatically triggered in certain events, such as when a participant wants to change their account information or effectuate a rollover of their account balance.
Hiring Service Providers. The second document released, titled Tips for Hiring a Service Provider With Strong Cybersecurity Practices, is aimed at helping plan sponsors and fiduciaries protect their cybersecurity interests when working with a third party. In this guidance, EBSA lists six core points that plan sponsors and fiduciaries should follow in order to meet their responsibilities under ERISA. As a starting point, EBSA suggests asking potential service providers whether they have cybersecurity insurance coverage, and reviewing public information (including court filings) discussing the service provider's cybersecurity track record and potential liabilities. When it comes time to enter into a service provider contract, plan sponsors should be sure that the contract includes protections addressing access control policies, encryption policies and a notification protocol should a cybersecurity threat impact plan participant data. Finally, EBSA recommends that service provider contracts include a clause requiring ongoing compliance with evolving cybersecurity and information security standards.
Cybersecurity for Participants. The third piece of guidance, titled Online Security Tips, is directed at participants and provides a list of best practices to reduce the risk of fraud and cybersecurity threats to retirement accounts. This guidance provides best practices for maintaining a secure online presence, such as using multifactor authentication where possible, changing passwords regularly and avoiding free or public Wi-Fi when possible. Plan fiduciaries wishing to provide cyber-related education to participants should look to this guidance as a road map.
DOL Cybersecurity Audits. Shortly after the release of this cybersecurity guidance, the DOL started ramping up its cybersecurity audit protocols by contacting plan sponsors and fiduciaries and inquiring as to their cybersecurity practices. Though a formal list of questions has not been publicly released, plan sponsors and fiduciaries should be prepared to produce cybersecurity and data privacy policies, information and documentation related to past cybersecurity incidents and cybersecurity risk assessment reports. Additionally, because one of the DOL guidance documents concerns best practices for hiring service providers, sponsors and fiduciaries should work with their third-party service providers to ensure their cybersecurity practices satisfy the released guidance.
Conclusion. Through this guidance, EBSA is clearly signaling to plan sponsors and fiduciaries that it expects them to maintain a secure data and cybersecurity infrastructure for both internal and participant-facing systems. Accordingly, plan fiduciaries should make cybersecurity considerations part of their regular administrative process in order to ensure that their benefit plan accounts and systems are properly protected from ever-evolving cyber threats. If you have any questions about EBSA's guidance, or if you need assistance ensuring that your cybersecurity policies and practices comply with EBSA's expectations, please contact the authors or another member of Holland & Knight's ERISA Litigation Team or Data Strategy, Security & Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.