On April 14, 2021, the Department of Labor (“DOL”) issued three documents that provide cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. Cybersecurity has become an increasingly important topic for plan sponsors and committees, given the fiduciary requirements to act in the interest of plan participants and to prudently select and monitor service providers, in addition to general risk management considerations. While the guidance was not issued under a formal notice and comment process, it lists actions the DOL recommends that plan fiduciaries and committees take to safeguard data and monitor service providers – and potentially indicates the steps that the DOL would view as the minimum necessary to satisfy applicable fiduciary obligations.
The three pieces of cybersecurity guidance are:
The Contracting Guidance lists six steps to help plan fiduciaries meet their fiduciary responsibility to prudently select and monitor service providers:
- Ask the service provider to provide information on their security standards, policies, and audit results – so the plan fiduciary can compare them to industry standards adopted by other financial institutions;
- Ask the service provider how it validates its practices, and what levels of security standards it has implemented;
- Evaluate the service provider’s track record in the industry – for example, by checking if there is any public information indicating there have been other security incidents or litigation;
- Ask about past security breaches and resolution;
- Review whether the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft; and
- Include specific terms in the contract to enhance cybersecurity protection for the plan and participants, including: requiring annual audits of the service provider by a third-party; addressing confidentiality requirements; requiring prompt notice of a cyber incident or data breach and assistance in investigating and addressing the breach; requiring compliance with all applicable federal, state, and local laws related to privacy, security, and confidentiality; and requiring insurance coverage, including cyber liability coverage.
Plan fiduciaries should review the steps listed in the Contracting Guidance when contracting with new service providers and may also want to reach out to current service providers to discuss their cybersecurity measures in light of the guidance. For example, by confirming that existing vendors use an outside third-party auditor to annually review and validate their cybersecurity.
There are twelve Best Practices for recordkeepers and service providers, including but not limited to: ensuring that data stored in a cloud or managed by a third-party service provider are subject to appropriate security review and independent security assessments; conducting periodic cybersecurity awareness training; and implementing strong access control procedures. The DOL provides detailed information on each of the Best Practices.
Although the Best Practices are directed to recordkeepers and service providers, the DOL indicates that the Best Practices may provide insight to plan fiduciaries in making prudent decisions when selecting a service provider to hire or when evaluating whether to retain a current service provider. For example, by asking the current or potential future recordkeeper to provide their assessment of the controls and processes in place to protect plan and participant data when data is stored by third-party vendors.
This guidance is directed toward plan participants, and includes steps for participants to take to reduce the risk of fraud and loss to a retirement account as the result of a cybersecurity attack. For example, the DOL recommends that participants delete unused accounts, set up strong and unique passwords, and enable multifactor authentication. Although the guidance is directed at participants, it may prove useful to plan fiduciaries in education efforts to help participants keep their information safe.
Plan sponsors and fiduciaries should review their current policies and procedures to determine what, if any, additional actions could be taken to mitigate cybersecurity risks and decrease exposure to fiduciary breach claims related to allegedly inadequate cybersecurity measures. Contact your Faegre Drinker attorney to discuss how this guidance can be used to reduce the risk of fiduciary breach claims related to cybersecurity.