Benefit plan sponsors and plan fiduciaries should take note and act quickly—the Department of Labor (DOL) has issued a new cybersecurity guidance package with far-reaching effects and has already begun including this in its enforcement efforts.
Earlier this year, the Government Accountability Office (GAO) released findings from a recent study looking at cybersecurity issues and risks related to 401(k) and other retirement plans. The report affirmed what many know to be true: private sector employer-sponsored defined contribution plans are a crucial component of retirement security for millions of Americans, and records for these plans are largely stored and accessed virtually. The GAO issued an urgent recommendation that the DOL (1) affirmatively state whether cybersecurity is a fiduciary obligation and (2) provide comprehensive guidance for plan sponsors and service providers regarding mitigation of this cybersecurity risk. In response to the report and its findings, the DOL has issued a three-part cybersecurity guidance package.
The package contains: (1) a 12-prong cybersecurity best practices summary, (2) tips for hiring service providers, and (3) a model notice offering participants and beneficiaries online security tips. The guidance is framed in the DOL’s statement that ERISA requires plan fiduciaries to take prudent actions to mitigate cybersecurity risks for the plan. The guidance (and, in particular, the best practice summary) reflects what the DOL might believe is a minimum standard for cybersecurity and therefore should be carefully evaluated by fiduciaries to meet their fiduciary duties.
Although the most detailed piece of the package—the best practices summary—is framed as applying to plan service providers (such as recordkeepers and administrators), enforcement actions already implemented suggest that these standards likely also apply to plan-related information maintained by the plan fiduciary. As such, benefit plan sponsors and plan fiduciaries would be well-served to use the package as a guide in revisiting both their own, internal cybersecurity policies and those of their plan vendors.
Further, plan sponsors and fiduciaries should be aware that this cybersecurity guidance likely applies to all plans governed by ERISA, not just retirement plans. This means that a cybersecurity review should also be performed for ERISA-covered health and welfare plans.
A brief summary of the cybersecurity best practices is included below. The chart takes the 12 prongs from the DOL’s best practice summary and divides them into one of four categories: (1) Overall Program, (2) Annual Duties, (3) Nuts & Bolts of Security, and (4) Incident Response. For each of the 12 prongs, plan sponsors and fiduciaries should ask:
- Do we have internal cybersecurity policies that already meet or could be adapted to meet these standards? If not, how can we best draft cybersecurity policies to incorporate these standards?
- Do all vendors with access to plan information have cybersecurity policies that meet these standards? Do their vendors down the supply chain have such cybersecurity policies? Do our contracts with these vendors adequately protect the plan from potential incidents?
DOL Cybersecurity Best Practices Summary:
As always, plan sponsors and fiduciaries are encouraged to reach out to competent ERISA counsel with any questions or concerns. Poyner Spruill’s employee benefits team would be happy to assist with any questions—including those about adopting standardized cybersecurity policies or potential provisions that could be incorporated into vendor agreements.