Department of Labor Issues Cybersecurity Guidance
By Barry Salkin
In recent years, the Department of Labor (DOL) has been subject to informal criticism for its lack of guidance about a plan fiduciary’s responsibility for cybersecurity issues. Language in the preamble to the updated 2020 DOL regulation concerning electronic disclosure may have foreshadowed what the DOL’s position on the issue would be. While there has been a general consensus that there is a fiduciary component to addressing cybersecurity risks, and in many instances plan sponsors and plan fiduciaries have been operating on the premise that at least to some extent there is a fiduciary obligation to address cybersecurity issues that may arise under employee benefit plans, guidance from the DOL was seen as an important step in translating that general overview under ERISA into concrete practices. The Wagner Law Group was one of the parties that wrote to the DOL indicating to them the need for formal guidance in this area.
On April 12, 2021, the DOL addressed cybersecurity issues, not in the form of an advisory opinion, information letter, or a field advice bulletin, but rather in the form of three documents describing best practices for plan sponsors and plan fiduciaries, service providers to plans, and plan participants. There is no discussion of whether a participant’s plan data is a plan asset under ERISA, or the relative level of responsibility of a plan sponsor/plan fiduciary and a plan’s service provider.
The DOL guidance is in three forms: Tips for Providing a Service Provider with Strong Cybersecurity Practices; CyberSecurity Program Best Practices; and Online Security Tips. Each has a different target audience.
Plan Sponsors and Plan Fiduciaries:
Tips for Hiring a Service Provider with Strong Cybersecurity Practices is intended as guidance for plan sponsors and plan fiduciaries. Tips for these fiduciaries include:
- Ask about the service provider’s information security standards, practices, policies and audit results; compare them to the industry standards adopted by other financial institutions
- Ask the service provider how it validates its practices, and what level of security standards it has met and implemented.
- Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor’s services.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches, including breaches caused by both internal and external threats
- Ensure that the contract with the service provider requires ongoing compliance with cybersecurity and information security standards.
The guidance also suggests trying to include certain provisions in the contract that would enhance cybersecurity protection, such as:
- information security reporting;
- clear provisions on the use and sharing of information and confidentiality;
- complying with records retention and destruction, privacy, and information security laws; and
- requiring various types of insurance, such as cyber liability and privacy breach insurance.
Recordkeepers and Other Service Providers:
For recordkeepers and other service providers, the DOL listed 12 best practices, each of which it discussed in detail:
- Have a formal, well-documented cybersecurity program
- Conduct prudent annual risk assessments
- Have reliable annual third party audit of security controls
- Clearly define and assign information security roles and responsibilities
- Have strong access control procedures
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments
- Conduct periodic cybersecurity awareness training
- Implement and manage a secure system development life cycle program
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response
- Encrypt sensitive data, both stored and in transit
- Implement strong technical controls in accordance with best security practices
- Respond appropriately to any cybersecurity incidents.
The DOL did not charge plan participants with any legal responsibilities about plan cybersecurity. It did, however, provide online security tips to plan participants. Participants will likely be familiar with several of these tips because they apply in other contexts:
- Use strong and unique passwords
- Be aware of phishing attacks
- Use antivirus software and
- Keep apps and software current.
New Best Practices Foster New Threats for Those Who Fail to Follow Them:
These three new items of guidance complement the DOL’s 2020 guidance on electronic records and disclosure to plan participants and beneficiaries. These included provisions ensuring that electronic recordkeeping systems have reasonable controls, that adequate record management practices are in place, and that electronic disclosure systems include measures calculated to protect personally identifiable information.
Plaintiffs’ counsel are vigilant to new guidance as a checklist for potential lawsuits, including for losses resulting from a successful cybersecurity attack against the plan or one or more of its members. If a plan sponsor does not attempt to implement as many of these measures as possible in a time-sensitive fashion, there is little doubt that such omissions would be highlighted in a plaintiff’s lawsuit.