In April 2021, the Department of Labor (DOL) announced official guidance relating to cybersecurity best practices, including maintaining security frameworks, reducing cyber risks, and ensuring retirement benefits are protected.

The guidance is targeted for plan sponsors, fiduciaries, and record keepers of all sizes and regulated by ERISA, as well as plan participants and beneficiaries. The release of the guidance is the first time that directions relating to cybersecurity has been outlined and issued by the DOL’s Employee Benefits Security Administration (EBSA).

Cybersecurity-related problems impact organizations of all shapes and sizes and can be a point of concern for both plan sponsors and plan participants. According to the EBSA, “there were more than 34 million defined benefit (DB) plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion” as of 2018. Without adequate protection and preparation, the EBSA notes that these participants and assets will continue to be at risk for internal and external cybersecurity threats. Plan sponsors and fiduciaries need to take appropriate action to ensure that impacts are effectively mitigated.

The DOL guidance comes in three parts: “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices” and “Online Security Tips.”

Selecting a qualified and experienced service provider is a critical step in a successfully establishing a secured environment. Directed towards plan sponsors, the guidance focuses on best practices for hiring service providers. It is worth noting that the EBSA outlines the responsibility to “prudently select and monitor” service providers with strong cybersecurity practices to fall upon the employers and fiduciaries. All potential service providers should be evaluated and closely monitored.

Law firms for the plans will be instrumental in helping to draft contract language that allows the plans to audit the service providers and requires the minimum cybersecurity standards to be in place. Law firms can also offer guidance on situations where service providers do not wish to disclose this information, as the DOL does not directly address this. Several questions to ask a potential service provider include:

The second part of the DOL guidance is the part that has received the most attention: “Cybersecurity Program Best Practices.” Those in the cybersecurity industry will see this guidance as industry best practices. It is important to note that this guidance is a fiduciary responsibility of the plan to protect the participants’ data. The DOL provided a “road map” for each of the twelve areas of the Cybersecurity Best Practices, and it is essential to understand and review the details of the twelve addressed areas. Even this guidance has caused questions about the proper implementation of plans that fully outsource their administration, and this responsibility lies solely with the service provider. This is an incorrect interpretation of the guidance, and plans should expect to have a written information security program in place that will most likely
reference their service provider(s).

The guidance for record keepers and service providers outlines the basic rules to implement and ensure that the risk of fraud and loss to retirement accounts is mitigated. A snapshot of several high-level best practices include:

The final part of the guidance is related to participant education. Suppose participants have access to their plan information online. In that case, the plan should provide “Online Security Tips” in an easily accessible location on the plan’s website for all participants to review.

Plan participants and beneficiaries can reduce cyber threats and other risks to retirement accounts through consistent monitoring. Among the tips provided include:

Many fiduciaries want to know how best to develop policies, procedures, and internal controls to manage and protect plan data. Cybersecurity involves measuring relevant standards against established frameworks and adopting reasonable protections. Frameworks include (but are not limited to) The Center for Internet Security Critical Security Controls (CIS), The International Standards Organization (ISO), and The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).

Challenges have arisen in the last year related to the DOL not identifying a specific framework to establish cybersecurity alignment. Leadership teams must gather existing documentation, review current controls, and attempt to determine “where they are” and “where they need to be.”

Working with a trusted cybersecurity advisor who understands the DOL guidance and, more importantly, what is needed to satisfy the requirements is vital. The review process requires knowledge that comes only from security experience in the industry. Plan fiduciaries attempting to compile documentation and institute change based on traditional practices often repeat the process, with a DOL experienced advisor the second time.

The best practices and tip sheets outlined by EBSA should be considered by all organizations regardless of the size of the plan assets and participants. Organizations that already have a well-established cybersecurity strategy within their organization should continue to be prudent and monitor risks. Plan sponsors should continuously monitor the effectiveness of the cyber security controls of their service providers. Regulatory obligations related to cybersecurity will continue to evolve. A sound data-protection program aligned to business objectives has become critical for any organization that is the custodian/steward of information.