On April 14, 2021, the Employee Benefits Security Administration of the U.S. Department of Labor (DOL) issued cybersecurity guidance for the first time aimed at ERISA plans and fiduciaries. The DOL highlighted that, as of 2018, there are 34 million persons covered by private sector defined benefit pension plans and 106 million persons covered by defined contribution plans (e.g., 401(k) plans) covering estimated assets of $3.4 trillion. The DOL emphasized that sufficient protections are needed to protect participants and plan assets from internal and external cybersecurity threats.
The DOL’s Cybersecurity Guidance
The DOL’s cybersecurity guidance is provided in three prongs:
- Cybersecurity Program Best Practices. Provides plan fiduciaries, recordkeepers and other service providers responsible for plan-related IT systems and data with best practices for meeting their responsibilities to manage and mitigate cybersecurity risks.
- Tips for Hiring a Service Provider. Provides plan sponsors and fiduciaries with tips for prudently selecting and monitoring service providers who employ robust cybersecurity practices, including strongly worded recommendations for provisions to include in contracts with service providers.
- Online Security Tips. Provides plan participants with helpful tips for managing cybersecurity risks (e.g., use of strong passwords, monitoring of accounts).
Notably, the DOL affirmatively states in its cybersecurity guidance that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. And while the DOL’s guidance comes in the form of “tips” and “best practices,” a recent audit initiative by the DOL suggests that the guidance may actually be mandatory in practice.
DOL’s Audit Initiative
Right on the heels of issuing its new three-pronged cybersecurity guidance, the DOL has started an initiative to audit cybersecurity programs of ERISA plan sponsors and fiduciaries. In recent weeks, the DOL has issued information and documentation requests to ERISA plan sponsors and fiduciaries regarding their cybersecurity programs. The requests are detailed, requesting production of all documentation relating to cybersecurity or information security programs relating to the data of the employer’s ERISA-governed plan, including security programs maintained by each service provider to the plan, as well as cybersecurity training and report of incidents of past breaches.
What Should Employers and Fiduciaries Be Doing Right Now?
In light of the DOL’s cybersecurity audit initiative, employers and fiduciaries should act now to do the following:
Review Internal Cybersecurity Programs
Employers and fiduciaries should review the cybersecurity guidance issued by the DOL and analyze how their existing ERISA programs stack up to the DOL’s recommended best practices and tips. If an employer or fiduciary identifies gaps in its cybersecurity programs where the DOL might expect to see cybersecurity protections and documentation in place, it should act to make appropriate changes to bring the program and documentation in alignment with the DOL guidance. Fiduciaries should be evaluating best practices for their ERISA plans in their periodic fiduciary meetings, including ensuring that these recommended actions are being prudently addressed.
Analyze Service Providers’ Cybersecurity Programs and Update Service Contracts
Employers and fiduciaries should undertake due diligence to assure that their ERISA service providers are in compliance with the DOL guidance. Employers and fiduciaries should also discuss with service providers how they will support an audit of their ERISA plans by the DOL. Contracts with service providers should be updated to include (1) the service provider’s commitment to fully support a DOL audit, (2) a general obligation for the service provider to comply with the DOL guidance, and (3) the provisions recommended by the DOL in its guidance. Among other things, the provisions recommended by the DOL include requirements that the service provider:
- Obtain third-party audits annually of its security practices and procedures (e.g., SOC 2 reports);
- Commit to how promptly it will notify the employer / fiduciary of any cyber incident or data breach; and
- Maintain cyber and other types of insurance.
Many contracts with service providers for recordkeeping and other services do not currently include these types of provisions.
Review Participant Messaging around Cybersecurity Awareness and the Importance of Monitoring Retirement Plan Accounts
The DOL guidelines include a number of online security tips for plan participants that can reduce the risk of fraud and loss to retirement accounts. Participants are more frequently becoming the target of cyber fraud and theft of their retirement savings, whether held in employer-sponsored plans or individual retirement accounts (IRAs); see, for instance, this news story. And in recent ERISA cases, plan participants have become the victims of criminals who were able to access their accounts electronically, either by posing as the victim or otherwise fraudulently accessing their accounts. In most instances, it took the participants many months to discover that amounts up to $400,000 had been stolen from their accounts because the participants did not regularly log into or monitor their 401(k) plan accounts.
Many employers, fiduciaries and service providers educate participants to view their 401(k) plan accounts as long-term retirement vehicles and even advocate a “set it and forget it” approach to retirement savings, especially where target date or life cycle funds serve as the primary investment options under 401(k) plans. In light of the DOL’s focus on protecting plan participants given the rise in cybersecurity fraud and threats faced by all participants in retirement plans, employers and fiduciaries may wish to reconsider their messaging to employees and participants. For example, instead of “set it and forget it” messaging, consider messaging the importance of maintaining robust passcodes and regularly monitoring retirement plan accounts.
Employers and fiduciaries are strongly encouraged to act now to address their cybersecurity practices and those of their service providers, particularly given the DOL’s initiatives, the recent litigation on point, and the real-life threats to participants’ retirement savings.