DOL Publishes Cybersecurity Guidance for Benefits Plans

Plans covered by the Employee Retirement Income Security Act (“ERISA”) are at a greater risk of cyber-incidents since they hold millions of dollars or more in assets and maintain an abundance of personal information about plan participants. Recognizing these risks, on April 14, 2021, the Department of Labor’s (“DOL’s”) Employee Benefits Security Administration (“EBSA”) published cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants. The new guidance pertains to plan sponsors and fiduciaries regulated by ERISA, including plan participants and beneficiaries. Furthermore, in its 2022 budget, the EBSA has specifically requested increased expenditures for investigations into cybersecurity breaches and related enforcement actions. Below are highlights from the EBSA’s new guidance for plan sponsors, plan fiduciaries, and record keepers. Within the guidance, there are also tips that plan participants can use to protect their own personal information. The entirety of the EBSA’s guidance can be found here.

Best Practices

EBSA has for years recommended that ERISA plan sponsors, plan fiduciaries and record keepers use the following best practices to mitigate cybersecurity risks. In its new guidance, EBSA makes clear that ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks and outlines some of what constitutes “best practices” in this area. It is unclear from the guidance if the best practices included in the guidance are an exhaustive list, but we know for sure they are a good start.

  1. Have a formal, well documented cybersecurity program (which (1) protects the infrastructure, information systems and the information in the systems from unauthorized access, use, or other malicious acts and (2) establishes strong security policies, procedures, guidelines, and standards).
  2. Conduct prudent annual risk assessments (which have a manageable, effective risk assessment schedule and codify the risk assessment’s scope, methodology, and frequency).
  3. Have a reliable annual third party audit of security controls (which provides a clear, unbiased report of existing risks, vulnerabilities, and weaknesses).
  4. Clearly define and assign information security roles and responsibilities (which are managed at the senior executive level, usually by the chief information security officer or similar role, and executed by qualified personnel).
  5. Have strong access control procedures (which emphasizes authorization – whether someone is allowed to access certain data – and authentication – whether the user’s identity is genuine).
  6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments (which include requirements that the service provider use multi-factor authentication, encryption, and a notification protocol for a cybersecurity event which directly impacts a customer’s information systems or nonpublic information).
  7. Conduct periodic cybersecurity awareness training (which sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, and recognize identity theft such as individuals falsely posing as authorized plan officials, fiduciaries, participants or beneficiaries).
  8. Implement and manage a secure system development life cycle program (which includes penetration testing, code review, and architecture analysis).
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response (which are a set of instructions to help staff detect, respond to, and recover from security incidents).
  10. Encrypt sensitive data, stored and in transit (which uses current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit).
  11. Implement strong technical controls in accordance with best security practices (which include regular updates to hardware and software, vendor-supported firewalls, intrusion detection and prevention appliances/tools, regularly updated antivirus software, routine patch management, network segregation, system hardening, and routine data backup).
  12. Appropriately respond to any past cybersecurity incidents (which includes informing law enforcement, notifying the appropriate insurer, investigating the incident, giving affected plans and participants the information necessary to prevent/reduce injury, honoring any contractual or legal obligations with respect to the breach, including complying with agreed upon notification requirements, and fixing the problems that caused the breach to prevent its recurrence).

Choosing a Service Provider

ERISA mandates that fiduciaries act with “care, skill, prudence, and diligence ….” 29 U.S.C.A. § 1104. This standard applies to the selection of service providers and the EBSA’s new guidance interprets this standard to include an analysis of the service provider’s cybersecurity practices as part of the fiduciary’s service provider selection and maintenance process. The following are activities, noted in the EBSA’s new guidance, that an ERISA plan fiduciary can use during its service provider selection process to analyze the service provider’s cybersecurity sophistication.

  1. Ask the service provider about its cybersecurity standards, practices, policies, and audit reports, and compare those to industry standards. It is a good sign if the service provider adheres to a recognized industry standard for information security. It is also a good sign if the service provider conducts at least annual audits of its cybersecurity practices and exposure.
  2. Research the service provider’s track record with cybersecurity, specifically whether it has experienced any data breaches, ransomware attacks, or other cyber incidents, including any related litigation or regulatory actions. Ask the service provider directly if it has experienced such cyber incidents and how it responded.
  3. Ask the service provider if it carries cyber-insurance, which can help mitigate risks associated with cyber-incidents.
  4. When drafting a contract with the service provider, make sure to include the following provisions:
  • audit (requirements that the service provider conduct annual audits to ensure compliance with its cybersecurity policies and procedures);
  • confidentiality (requirements that the service provider maintain the privacy of information and prevent its unauthorized access or disclosure);
  • breach notifications (requirements that the service provider promptly notify you of cyber incidents and cooperate in any investigations and remediation);
  • compliance with law and records retention (requirements that the service provider comply with state and federal data privacy and cybersecurity laws); and
  • insurance (requirements that the service provider hold insurance coverage such as professional liability and errors and omissions liability insurance, cyber-insurance, and fidelity bond or blanket crime coverage, with appropriate limits and terms).

By following the above recommendations, plan sponsors, plan fiduciaries, record keepers, and plan participants can help to mitigate some of the rapidly growing risk of cyber incidents. If you need assistance with your cybersecurity policies and procedures, with the selection/maintenance of, or contracts with, your current or potential service providers, or with more general questions regarding data privacy and/or cybersecurity laws, please contact a member of either the Cybersecurity & Data Privacy Practice Group or the Pension & Employee Benefits Practice Group.