In response to a recent General Accounting Office (GAO) report recommending federal guidance to mitigate cybersecurity risks in retirement plans and to respond to ever-increasing cyber threats to plan participant data and plan assets, the U.S. Department of Labor (DOL) Employee Benefits Security Administration (EBSA) published its first cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants of ERISA-covered retirement plans. The guidance issued on April 14, 2021, addresses the following:
- Cybersecurity program best practices for services providers;
- Plan sponsor tips for evaluating service providers’ cybersecurity practices; and
- Online security tips for plan participants.
On balance, the DOL’s guidance is helpful to plan participants who want to take an active role in helping to ensure their data is secured, but for employer plan sponsors and other ERISA plan fiduciaries, the guidance provides much to consider. Employers are now on notice regarding their heightened obligations to protect the privacy and security of plan participants’ information and retirement accounts, and those who have historically taken a more narrow focus on fiduciary duties are wise to add cybersecurity and general data privacy advisors to their legal resource teams.
The February 2021 GAO report recommended that the DOL formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in defined contribution plans and to establish minimum expectations for addressing cybersecurity risks in defined contribution plans. At the time GAO issued its report, the DOL did not state whether it agreed or disagreed with the concept that a plan fiduciary has a responsibility to mitigate cybersecurity risk. Now, in its announcement accompanying the release of the new guidance, the DOL unequivocally answers the question in the affirmative.
The DOL’s new guidance confirms that ERISA requires plan fiduciaries to take appropriate steps to identify and mitigate the risks posed by internal and external cybersecurity threats in a retirement plan context. This is a noteworthy, functional expansion of ERISA’s fiduciary framework. Although the ERISA plaintiff’s bar has not gained significant ground in the cybersecurity litigation space, there is no doubt that cyberattacks and data theft considerations are increasingly high stakes issues. Fortunately, the new DOL guidance creates a substantive roadmap for plan sponsors and service providers that wish to proactively address these matters.
First, EBSA’s “Cybersecurity Program Best Practices” serves as a checklist for recordkeepers and other service providers responsible for plan-related information systems and for plan fiduciaries who want to make prudent decisions about the services providers they engage. Second, in “Tips for Hiring a Service Provider with Strong Cybersecurity Practices,” EBSA clearly signals that plan sponsors are expected to use service providers that have robust cybersecurity practices. This document identifies key factors that plan sponsors and fiduciaries can use to prudently select and monitor such service providers. Finally, although plan fiduciaries should take precautions to mitigate cybersecurity risks, in its “Online Security Tips” EBSA also educates plan participants about ways in which they can reduce the risk of fraud or loss to their retirement accounts.
Many of the concepts outlined in the three guidance documents draw upon generally recognized cybersecurity best practices and recommendations. As such, operational leaders at companies sponsoring defined contribution plans may recognize EBSA’s recommendations as being similar to cybersecurity policies and procedures they have already implemented in connection with their business operations. But other ERISA plan fiduciaries who have not had a professional need to concern themselves with the ever-changing cybersecurity landscape may find this guidance less familiar. In such cases, fiduciaries will likely seek training by advisors who can address the unique overlap between ERISA fiduciary responsibilities and retirement plan compliance topics and the appropriate cybersecurity and privacy frameworks.
The DOL has now confirmed that ERISA fiduciaries must take affirmative steps to mitigate the risk to plan participants and plan assets posed by cyber threats. To respond, plan fiduciaries and sponsors should review the guidance, assess how their current cybersecurity practices and those of their recordkeepers and service providers compare with the EBSA recommendations, consider service provider contract and plan document amendments as appropriate, and develop a plan to implement the recommendations. Fiduciary training should be considered as part of any such plan. Fiduciaries, sponsors, recordkeepers, and service providers should also document their compliance efforts as it seems certain the DOL and other regulators will expect ERISA plan sponsors and fiduciaries to substantiate their cybersecurity compliance training, procedures, and participant disclosure approaches.
Author’s Note: Links to the guidance discussed in this update can be found at: https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity. This page includes the DOL News Release and the links to the three guidance documents described in the first paragraph.