Don’t Be Insecure: DOL Guidance Addresses Cybersecurity for ERISA Plans
The Guidance, which is intended for sponsors, fiduciaries, record keepers, and participants of plans governed by the Employee Retirement and Income Security Act of 1974 (“ERISA”), is composed of three documents – 1) Tips for Hiring a Service Provider; 2) Cybersecurity Program Best Practices; and 3) Online Security Tips. Though styled as “tips” and “best practices,” the Guidance nonetheless imposes several obligations on plan fiduciaries. We set forth each below:
Tips for Hiring a Service Provider
To abide by the obligation to prudently manage plan assets, when engaging a service provider, plan sponsors and fiduciaries must conduct appropriate due diligence. With respect to security, this means, at a minimum, ensuring that vendors:
- Abide by a recognized standard for information security, and be subject to audits by an outside (third-party) auditor to review and validate cybersecurity;
- Undergo a security review to investigate the service provider’s “track record in the industry,” with a specific focus on whether the service provider has experienced past data breaches;
- Be subject to contractual provisions that (a) do require “ongoing compliance with cybersecurity and information security standards,” and (b) do not overly “limit the service provider’s responsibility for IT security breaches;” and
- Adhere to controls and provisions specifically addressing information security reporting, cybersecurity breach notifications, as well as the requirement for professional liability insurance.
A link to the Tips for Hiring a Service Provider is here.
Cybersecurity Program Best Practices
The bulk of the Guidance is contained within the Cybersecurity Program Best Practices, which is aimed largely at record keepers and service providers. Here, the Guidance includes twelve “best practices” relating to plan-related IT systems and data, as follows:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents
A link to the Cybersecurity Program Best Practices is here.
Online Security Tips
Finally, the Guidance also includes a set of Online Security Tips, which serve as a reminder to keep security in mind. These “Tips” largely relate to security measures participants should use in protecting their accounts. Examples of features to consider include multi-factor authentication, strong and unique passwords, and general awareness of phishing attacks. All of these are bolstered by appropriate and regular training.
This portion of the Guidance contains at least an implicit acknowledgment that plan participants and beneficiaries themselves also play an integral role in mitigating cybersecurity risks. In this regard, the Guidance indicates that DOL will take an expansive view in evaluating the measures plan fiduciaries have implemented to mitigate cybersecurity risks, including whether plan fiduciaries took steps to mitigate cybersecurity risks stemming from plan participants and beneficiaries themselves.
A link to the Online Security Tips is here.
Takeaways
Read together, each component of the Guidance teaches that ERISA plan sponsors, fiduciaries, and service providers must act both proactively and reactively to mitigate cybersecurity risks. At a minimum, the Guidance indicates how DOL will evaluate efforts to mitigate cybersecurity risks. To comply with the Guidance, plan sponsors, fiduciaries, and service providers should carefully review current cybersecurity programs, including IT security, service provider agreements, internal policies, and training programs.