On April 14, 2021, the Department of Labor (DOL) issued guidance regarding retirement plan cybersecurity in the form of best practices for retirement plan service providers, best practices for the selection of service providers with strong cybersecurity practices, and online security tips for participants. While the DOL stopped short of providing any analysis or discussion of the standards that plan fiduciaries must satisfy and did not provide any safe harbor relief to retirement plans, the guidance is a welcome development for plan sponsors and service providers alike.
The issue of cybersecurity has garnered increased attention in recent years with the proliferation of cybersecurity attacks on individuals, private companies and governments. Given the nearly $10 trillion held in retirement plans, retirement plans are high-profile targets for hackers and other unscrupulous actors. This issue has been underscored by several pending lawsuits involving bad actors who allegedly were able to access participant accounts and obtain significant distributions due to lax security protocols employed by retirement plan service providers. Various industry groups and providers have repeatedly sought clarity from the DOL regarding the standards (if any) that apply but the DOL had remained silent on the issue until now.
In February 2021, the Government Accountability Office (GAO) issued a report entitled “Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans.” In it the GAO noted that retirement plan administration often involves multiple parties that may have a need to use or disclose sensitive personally identifiable information (PII) of plan participants. While many of the parties involved may be subject to established security standards—such as financial institutions—many are not. The GAO also noted that the DOL had not, prior to the recent best practices guidance, provided any clarity on the standards that apply, noting that:
“Federal law nevertheless requires plan fiduciaries to act prudently when administering plans. However, the Department of Labor (DOL) has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty. Further, DOL has not established minimum expectations for protecting PII and plan assets.”
The GAO made two recommendations based on its research and review:
“GAO is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC [defined contribution, e.g., 401(k)] plans and to establish minimum expectations for addressing cybersecurity risks in DC plans.”
The DOL issued three pieces of guidance: (1) cybersecurity program best practices for service providers, (2) tips for plan sponsors to hire service providers with strong cybersecurity practices, and (3) online security tips directed at plan participants to safeguard their accounts.
Retirement Plan Service Provider Best Practices
The service provider guidance discusses 12 best practices that should be adopted by retirement plan service providers in connection with cybersecurity:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures, including limiting data access to those who need it and only to the extent necessary.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle program (i.e., the multi-step process for developing systems that includes initiation, analysis, design, implementation, maintenance and disposal of a system).
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data while stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
For plan sponsors of group health plans, the best practices should be familiar as they are similar in many ways to the security requirements that apply to electronic protected health information under HIPAA. The best practices—like HIPAA’s security requirements—are designed to ensure the confidentiality, integrity and accessibility of sensitive information.
While these best practices are directed at retirement plan service providers, they impact plan sponsors in two primary ways. First, plan sponsors often provide services to their retirement plans and may access, store and disclose PII in connection with providing administrative services to the retirement plan. As a result, plan sponsors should apply these best practices to their internal retirement plan activities.
Second, the DOL’s enforcement authority extends to plan fiduciaries who have responsibility to prudently select and monitor plan service providers, but not directly to non-fiduciary service providers. As a result, plan fiduciaries should implement the best practices when selecting and monitoring plan service providers.
Tips for Hiring Service Providers with Strong Cybersecurity Practices
As noted above, among other obligations, plan fiduciaries must prudently select and monitor their service providers, including their cybersecurity practices. To aid plan fiduciaries in discharging this obligation, the DOL provided tips for hiring service providers with strong cybersecurity practices. The DOL recommends that plan sponsors—
- Ask about the service provider’s information security standards, practices and policies, and audit results and compare them to the industry standards adopted by other financial institutions.
- Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity practices.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
Recognizing that a plan sponsor’s means for enforcement of service provider cybersecurity best practices will be largely contractual, the DOL recommended several contractual provisions. Specifically, the DOL recommended that plan sponsors pursue provisions that (i) require ongoing compliance with cybersecurity and information security standards, (ii) require service providers to annually obtain a third-party audit to determine compliance with cybersecurity and information security policies and procedures and permit the plan sponsor to review the results, (iii) define the service provider’s confidentiality obligations including how the service provider may use and disclose confidential information and the standard of care that will apply, (iv) impose breach notification obligations including the timeframe for notification and the service provider’s obligations to investigate the breach and address the cause, (v) require compliance with all applicable record retention and destruction, privacy and information security laws, and (vi) require insurance coverage that would cover losses resulting from cybersecurity breaches or incidents. The DOL also recommended that plan sponsors beware of provisions that limit the service provider’s responsibility or liability for security breaches.
The DOL made clear that its list of recommended contractual provisions is not exhaustive. Indeed, the DOL mentioned in its service provider best practices guidance additional contractual provisions that should be pursued, including (i) provisions establishing the service provider’s access control policies and use of multi-factor authentication, and (ii) provisions establishing the service provider’s encryption policies and procedures.
Online Security Tips for Plan Participants
Finally, recognizing that participants also play an important role in the security of their account information, the DOL issued online security tips for participants, which include—
- Establishing and routinely monitoring online accounts
- Using strong and unique passwords
- Using multi-factor authentication
- Regularly updating contact information
- Closing or deleting unused accounts
- Being cautious of using open Wi-Fi networks
- Being aware of phishing attacks
- Using antivirus software and keeping applications and software current
- Knowing how to report identity theft and cybersecurity incidents
Plan sponsors should consider integrating the online security tips in future educational campaigns directed at plan participants and in participant communications.
Discussion and Next Steps
While the DOL guidance is a welcome development, many unanswered questions remain. For instance, the DOL did not discuss the basis for its conclusory statement that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks,” or establish minimum expectations for fiduciaries charged with the selection and monitoring of service providers and ensuring the confidentiality, integrity and accessibility of PII. The DOL also did not address the issue of whether plan data is a plan asset.
Despite the many questions that remain, the guidance provides a helpful roadmap for cybersecurity practices. As a result, plan sponsors should carefully consider the guidance and its implications for their retirement plans and service providers, review current practices and service provider arrangements, and work with counsel to implement the recommended best practices as appropriate.
- Edward C. Redder | Edward.Redder@ThompsonHine.com
- Craig A. Foster | Craig.Foster@ThompsonHine.com
- Brian L. Gaj | Brian.Gaj@ThompsonHine.com
Compliments of Thompson Hine LLP – a member of the EACCNY.