The U.S. Department of Labor (“DOL”) recently issued guidance on best practices for maintaining cybersecurity directed to plan sponsors, fiduciaries, record-keepers and participants of employee benefit plans governed by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). While some prior cybersecurity guidance has been issued for certain employee benefit plans governed by ERISA, this is the first guidance issued by the Employee Benefits Security Administration (EBSA) of the DOL related to cybersecurity.
Although the guidance focuses primarily on retirement plans (e.g., pension and 401(k) profit sharing plans), the guidance applies to any ERISA-covered plans, including health and welfare benefit plans, that would be subject to the same fiduciary standards. Implicit in the DOL’s guidance is that plan fiduciaries of pension benefit plans as well as health and welfare benefit plans have a fiduciary duty to secure plan data and participant information.
The DOL guidance takes the form of ”tips” and “best practices”:
The guidance is intended to complement the EBSA’s regulations related to electronic records and disclosures to plan participants and beneficiaries, which include provisions requiring electronic recordkeeping systems to have reasonable controls, adequate records management practices in place, and further requiring that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.
Plan sponsors and other plan fiduciaries and plan record-keepers should anticipate that in future DOL audits, investigations and enforcement actions, the DOL’s cybersecurity guidance will serve as a benchmark for assessing whether adequate protections have been put in place to protect plan data and participant information against cybersecurity risks. In fact, recent DOL audit questionnaires have included a series of questions related to cybersecurity, such as whether the third party service provider maintains a privacy and security policy that applies to personally identifiable information for benefit plans. The DOL is also interested in whether the third party service provider has cyber insurance, requires authentication procedures, how they maintain technology/implement required updates, security requirements for information (from storage, length of retention period, to destruction), and training requirements for employees with access to plan information.
Tips for Hiring a Service Provider:
The first part of the DOL’s guidance is directed to plan sponsors and fiduciaries to help them meet their responsibilities under ERISA to prudently select and monitor service providers maintaining plan records and/or participant data. These include:
Cybersecurity Program Best Practices:
The second part of the DOL’s guidance is directed to plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks. It is intended that it be used by plan record-keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions in selecting their service providers.
The DOL guidance lists twelve (12) best practices:
Online Security Tips:
The online security tips are directed at plan participants and beneficiaries who check their retirement accounts online and offer basic rules to reduce the risk of fraud and loss. These include:
If you have any questions on the DOL’s guidance or would like assistance with developing a privacy and cybersecurity compliance program with an emphasis on employee benefit plan compliance, please reach out to one of our team members for assistance.
 See for example, The National Institute for Standards and Technology’s Implementing the HIPAA Security Rule: Call for Comments on SP 800-66, Revision 1 https://csrc.nist.gov/News/2021/call-for-comments-on-sp-800-66-rev-1 We note that the DOL’s ERISA Advisory Council had previously provided a report that outlined “Cybersecurity Considerations for Benefit Plans” and included an appendix with “Considerations for Managing Cybersecurity Risks” but that such guidance was not issued by the DOL itself.
Visit our Employee Benefits Blog for the latest news and developments.Visit the blog
Sign up for our newsletter and get the latest to your inbox.