DOL cybersecurity guidance
The focus of this guidance is not sponsor cybersecurity. Rather, the focus is on the responsibility of plan fiduciaries for the cybersecurity of plan providers, a slightly more complicated issue.
On April 14, 2021, the Department of Labor released cybersecurity guidance for service providers (Cybersecurity Program Best Practices), plan sponsors (Tips for Hiring a Service Provider with Strong Cybersecurity Practices), and plan participants (Online Security Tips).
In this article, we briefly review the guidance for service providers and sponsors.
Background: plan fiduciary responsibility for provider cybersecurity
The focus of this guidance is not sponsor cybersecurity. Rather, the focus is on the responsibility of plan fiduciaries for the cybersecurity of plan providers, a slightly more complicated issue.
Let’s begin by noting a basic ERISA fiduciary principle: plan fiduciaries have a fiduciary responsibility for the prudence of the selection and continued retention of plan service providers, e.g., the plan’s recordkeeper and trustee. This prudence requirement extends to the “cybersecurity” of, e.g., participant data held by a plan recordkeeper.
Thus, DOL’s new cybersecurity guidance begins with the statement “ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
For sponsors, this – the “obligation to ensure proper mitigation of cybersecurity risks” – is the critical issue. If the last 20 years of ERISA litigation has shown anything, it is that where there is a problem with a plan service provider, e.g., the plan’s recordkeeper’s fees are too high, or its cybersecurity standards are too low, it is the plan fiduciary who will be sued. So, when reviewing DOL’s description of “best practices” for service providers, plan fiduciaries should consider how they are a going to monitor service provider compliance with them, to “ensure proper mitigation of cybersecurity risks.”
Provider cybersecurity Best Practices
We are not cyber experts and can’t really evaluate whether DOL’s guidance represents the latest thinking on retirement plan cybersecurity. As summarized by DOL, the following are the “best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.”
Plan service providers should:
Have a formal, well documented cybersecurity program.
Conduct prudent annual risk assessments.
Have a reliable annual third-party audit of security controls.
Clearly define and assign information security roles and responsibilities.
Have strong access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
Conduct periodic cybersecurity awareness training.
Implement and manage a secure system development life cycle (SDLC) program.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Encrypt sensitive data, stored and in transit.
Implement strong technical controls in accordance with best security practices.
Appropriately respond to any past cybersecurity incidents.
DOL’s detailed descriptions of each of these requirements is here.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
In a separate document, DOL provided a set of “tips” for hiring (and one assumes, monitoring and retaining) service providers with cybersecurity responsibilities.
Summarizing, the plan fiduciary should:
Ask about the provider’s security standards, practices (including how practices are validated), and policies, the security levels/standards it has met, and its audit results, and compare them with those of other firms. In this regard, providers that follow an “outside standard” and use a third-party auditor and that make audit results available should be preferred.
Review the provider’s “track record,” including information security incidents and litigation/legal proceedings and ask about past security breaches.
Find out if the provider has any relevant insurance policies. (We would observe that, generally, an adequately capitalized or insured provider that is prepared to stand behind its performance is (obviously) to be preferred.)
Contract for ongoing compliance with cybersecurity/information security standards and beware of contract limitations on this responsibility and on responsibility for security breaches.
Contract for:
An explicit service provider obligation of data confidentiality subject to a strong standard of care.
A third-party compliance audit. (The current industry standard in this regard is AICPA’s SOC 1 and SOC 2. We would add that the sponsor fiduciary should negotiate for the right to review this audit and for remedies where there is significant noncompliance.)
Notification of cybersecurity breaches and an obligation to cooperate in their investigation and remediation.
Compliance with records retention and destruction, privacy and information security laws.
Adequate insurance coverage.
Observations
At the risk of leaving out some critical issues, we would boil down the plan fiduciary’s responsibility with respect to a provider’s cybersecurity as follows.
If there is a cybersecurity “issue” (e.g., a data breach) that is, in some respects, a service provider’s (e.g., a recordkeeper’s) “fault,” the key questions are:
How will a plan fiduciary show that it took reasonable steps (1) to avoid this breach (e.g., by requiring and monitoring provider compliance with appropriate cybersecurity standards) and (2) to provide for its adequate remediation/correction (if possible)?
And how will the plan fiduciary secure remedies against the provider in the event that it (the plan fiduciary) is held liable for the provider’s security breach?
In addressing these issues, the first line of defense will be the terms of the contract with the service provider. That contract should (per DOL’s guidance and ordinary practice):
Secure the confidentiality of participant information.
Provide for a set of minimum standards the provider will meet.
Provide a method for monitoring provider compliance – ideally, an annual outside audit which the plan fiduciary gets a copy of.
Provide an adequate remedy for breaches.
* * *
We will continue to follow this issue.