New ERISA Guidance on Retirement Plan Cybersecurity

The Department of Labor (DOL) has just issued first-time retirement plan guidance to address cybersecurity risks for employers, plan fiduciaries, recordkeepers and plan participants.  The guidance is in the form of recommended best practices to protect retirement benefits by providing strong cybersecurity practices for employers and plan service providers and online security tips for participants.

The concern is that with millions of dollars accumulating in retirement and 401(k) plans, without sufficient protections, participant data and plan assets may be at risk of cybersecurity threats.  The guidance confirms the DOL’s view that cybersecurity is a fiduciary obligation and that plan fiduciaries should take reasonable and appropriate steps to protect their retirement plans and related participant data from cybersecurity breaches.

The guidance comes in three parts: (1) cybersecurity program best practices, (2) tips for hiring service providers with strong cybersecurity practices, and (3) online security tips for participants to protect their plan accounts.

Cybersecurity Program Best Practices.  This is intended to help plan fiduciaries and recordkeepers manage cybersecurity risks.   The guidance provides the following recommendations:

1. Formal, well-documented cybersecurity program
2. Prudent annual risk assessment
3. Reliable annual third-party audit of security controls
4. Define and assign information security roles and responsibilities
5. Strong access control procedures
6. Assets or data stored in a cloud or managed by a third-party service provider subject to appropriate security reviews and independent security assessment
7. Periodic cybersecurity awareness training (at least annually)
8. Have a secure system development life cycle (SDLC) program
9. Have a business resiliency program addressing business continuity, disaster recovery and incident response
10. Encrypt sensitive data, stored and in transit
11. Strong technical controls
12. Timely response to cybersecurity incidents

Tips for Hiring Service Providers with Strong Cybersecurity Practices.  These recommendations help employers and plan fiduciaries satisfy their ERISA fiduciary duty to prudently select and monitor service providers with respect to cybersecurity.

1. Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to industry standards adopted by other financial institutions.
2. Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standards.
3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to vendor’s services.
4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
5. Determine if the service provider has insurance policies that cover losses caused by cybersecurity and identity theft breaches.
6. Ensure that service contracts require ongoing compliance with cybersecurity and information security standards and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.

Online Security Tips for Plan Participants.  Employers should educate participants on the importance of online security and consider including these tips in participant communications and plan educational meetings.

1. Establish and routinely monitor online accounts
2. Use strong and unique passwords
3. Use two-factor authentication (for example, entering a code sent by text or email)
4. Keep personal contact information current
5. Close or delete unused accounts
6. Beware of public/free wi-fi
7. Beware of phishing attacks
8. Use antivirus software and update devices and apps regularly
9. Know how to report identity theft and cybersecurity incidents – the FBI and Department of Homeland Security maintain sites for reporting cybersecurity incidents:

https://www.fbi.gov/file-repository/cyber-incident-reporting-united-message-final.pdf/view

https://www.cisa.gov/reporting-cyber-incidents

This guidance clearly establishes that the DOL considers cybersecurity a fiduciary responsibility.  Therefore, employers and plan fiduciaries should strongly consider these recommendations for their retirement plans, participants and plan service providers.  They should review current practices and provider contracts and consider adopting a cybersecurity policy that includes the applicable best practice suggestions.

Please contact Vandeventer Black LLP if you have any questions or would like additional information.