The Department of Labor (DOL) issued a three-part guidance packet (Guidance Packet) on April 14, 2021, to help plan sponsors, recordkeepers, and other service providers maintain cybersecurity compliance and protect participants in benefit plans subject to the Employee Retirement Income Security Act (ERISA) of 1974, as amended. The Guidance Packet consists of cybersecurity best practices (Best Practices), tips for plan sponsors to assess the cybersecurity practices of service providers (Fiduciary Tips), and cybersecurity tips for participants. At present, it appears that the Guidance Packet is intended to be applicable for fiduciaries of all ERISA plans, meaning the tips and best practices in the Guidance Packet can be used for retirement plans as well as health and welfare plans.
Although issued as informal tips and best practices, the Guidance Packet is likely intended to provide a minimum standard of care, which may be an indication that the DOL intends to focus future enforcement efforts on cybersecurity. Plan sponsors maintain significant amounts of personal information, including sensitive financial information, which, as a result, makes the sponsors and their service providers prime targets for cyber attackers. The DOL states that the Best Practices are for recordkeepers and other service providers, so service providers who handle participant data should ensure they take the necessary steps outlined in the Guidance Packet to protect plan and participant data from cybersecurity threats. However, the DOL also states in the Guidance Packet that all plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. Plan sponsors, as plan fiduciaries who handle participant data and who are responsible for selecting and monitoring service providers, should also review and understand the Best Practices—not only to implement them internally but to ensure that any of the plan’s service providers that handle plan or participant data have implemented them as well.
Internal Cybersecurity Best Practices—Implement a Comprehensive Cybersecurity Program
Establishing Roles and Procedures
One key aspect of the Guidance Packet is that plan sponsors and any service providers who have access to participant- or plan-related data (Responsible Parties) should implement a formal, documented cybersecurity program. The program should establish cybersecurity procedures, establish steps to identify and address risks, and should clearly define and assign roles to individuals responsible for any aspects of the program. It should also outline a Secure System Development Life Cycle (SDLC) program for the Responsible Party to follow to ensure that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the Responsible Party’s efforts to develop a secure system.
Furthermore, the Responsible Party’s cybersecurity program should include strong access control procedures to protect private data, including the following:
- Provide data access only to individuals who need the data to perform their duties, and limiting their access to only the data needed for their duties;
- Regularly review accounts and remove access for any unnecessary or unused accounts (the DOL suggests that access privileges be reviewed at least every three months);
- Require complex passwords or multi-factor authentication;
- Monitor the activity of authorized users and detect unauthorized access, use of, or tampering with, private data;
- Compare participants’ and beneficiaries’ sensitive information in the Responsible Party’s records to information in the plan’s records to ensure that the information matches; and
- Confirm the identity of the authorized recipient of plan funds.
The Responsible Party’s cybersecurity program should also require current and prudent standards for encrypting sensitive data—both while stored and while in transit.
In addition to establishing procedures, a Responsible Party’s cybersecurity program should provide for ongoing reviews to ensure the continued effectiveness of the program. This process should include:
- Conducting annual internal risk assessments to ensure the program still meets privacy needs;
- Obtaining an annual third-party audit of security controls;
- Implementing and maintaining up-to-date technical controls (i.e., using updated software, hardware, or firmware, and performing and maintaining regular backups);
- Providing ongoing cybersecurity awareness training for employees, at least annually; and
- Ensuring that any data stored in a cloud or managed by a third party is subject to appropriate security reviews and independent assessments.
Plan sponsors should also regularly assess whether service providers are meeting the requirements of their cybersecurity programs (see below for more tips for assessing service provider cybersecurity practices).
Breach Response and Recovery Procedures
A Responsible Party’s cybersecurity program should outline how it will detect and respond to cybersecurity breaches, including any actions to be taken and the parties responsible for taking those actions. The program should also provide for steps to fix any problems that caused the breach to prevent recurrence.
Each state now has its own laws governing cybersecurity breach notification and the steps that must be taken in the event of a breach, so the incident response procedure in any cybersecurity program should incorporate any such requirements. It is important to review the data breach notification laws to determine if the incident meets the definition of breach under the applicable law and to determine if notification may be required to the affected individuals or to state government authorities. These laws will outline the steps that must be taken to prevent or reduce injury to any affected plans or individuals. While we recommend engaging an attorney once a breach has occurred, some jurisdictions require swift action. Therefore, to ensure that a Responsible Party is in the best position to respond to a breach in accordance with applicable laws and DOL guidance, it should work with an attorney in preparing its cybersecurity program to ensure proper and timely action is taken after a breach.
Finally, the cybersecurity program should incorporate the Responsible Party’s business continuity, disaster recovery, and incident response terms of the Responsible Party’s business resiliency program. The Best Practices provide a number of considerations for such a program.
Evaluating Service Providers
Perform Due Diligence
In addition to the Best Practices, the Guidance Packet also contains the Fiduciary Tips for plan sponsors to use when choosing and evaluating service providers. Before hiring a service provider, plan fiduciaries should perform due diligence on any potential service provider. While there are many considerations when choosing a service provider, the Guidance Packet suggests taking the following steps to assess whether the provider’s cybersecurity program is adequate:
- Obtain information about the standards and practices of the provider’s cybersecurity program to compare to industry standards, as well as to the requirements above.
- Ensure the provider uses an outside auditor to review and validate its cybersecurity practices on at least an annual basis, and finding out any other ways the provider validates its cybersecurity practices.
- Research any prior security breaches. This would include accessing information on the events that occurred, as well as the provider’s response and any steps taken to prevent a recurrence.
- Learn about any cybersecurity or identity theft insurance coverage the provider has, both for misconduct by the provider’s own employees as well as for outside threats.
Review Service Agreements Carefully
Once a plan sponsor has selected a service provider, it is important to understand the terms of the service agreement with that provider and that the terms adequately protect plan participants. A plan sponsor should make sure that the service agreement requires ongoing compliance with cybersecurity standards, and watch out for any contract provisions that limit the service provider’s responsibility for cybersecurity breaches.
The Guidance Packet also recommends reviewing the service agreement to ensure that it includes provisions for the following:
- Requirement that the provider annually obtain a third-party audit to determine the provider’s compliance with cybersecurity policies and procedures. The agreement should also permit the plan sponsor to receive a copy of the provider’s cybersecurity audit.
- Requirement that service providers (at least those likely to handle sensitive plan data) maintain recognized third-party certifications, such as the ISO/IEC 27001 or AICPA SOC 2, or submit themselves to other comprehensive third-party assessments.
- Clear terms regarding confidentiality and the use and sharing of information. These terms should specify that the provider is obligated to keep private information private and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification, or misuse.
- Procedures to be followed in the event of a breach. This includes required timing for notifying the plan sponsor of the breach, as well as ensuring the provider cooperates in investigating and addressing the cause of the breach.
- Provision stating that the provider will meet all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.
- Stipulation that the provider must have certain insurance coverage. This could include errors and omissions coverage, cyber liability and privacy breach insurance, or blanket crime coverage. The plan sponsor should also make sure the plan sponsor knows the terms and limits of any coverage.
Organizations that have existing obligations under the Health Insurance Portability and Accountability Act (HIPAA), the Massachusetts Data Security Regulations, or New York’s The Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) will have a head start in addressing these issues with service providers as these laws require information security programs that include security assessments on service providers. However, the security standards under HIPAA only safeguard Protected Health Information (PHI), so plan sponsors may have to revise existing policies and procedures to secure plan-related information that does not necessarily constitute PHI.
If you have any questions about the Guidance Packet or any other cybersecurity questions, please do not hesitate to contact any members of the Employee Benefits and Executive Compensation or Cybersecurity and Privacy teams at Morris, Manning & Martin, LLP.