Seyfarth Synopsis: Retirement plans hold millions (sometimes, hundreds of millions) of dollars in assets, and participants’ personal information is increasingly maintained and accessible online. With such large amounts of money accessible electronically, retirement plans can be a prime target for cyber-criminals. In response to this growing issue, on April 14, 2021, the Department of Labor (“DOL”) issued a three-part set of informal guidance with best practices and suggestions from different perspectives for addressing cybersecurity in the retirement plan world. Acknowledging that businesses largely rely on third parties, namely, the plan’s recordkeeper, to secure and protect participant data, the guidance describes what cybersecurity protection to look for when selecting service providers. The guidance also provides tips for recordkeepers and other service providers responsible for maintaining plan data, and ideas for plan participants on safeguarding their data and plan accounts online.
The three guidance documents are titled: Tips for Hiring a Service Provider with Strong Security Practices, Cybersecurity Program Best Practices and Online Security Tips.
“Tips When Hiring a Service Provider With Strong Security Practices” (for Plan Fiduciaries)
Plan administrators have a fiduciary duty under ERISA to act prudently when selecting and monitoring plan service providers. This DOL two-page guidance document provides tips for fiduciaries when hiring a service provider, and provisions to include in the contract with the service provider.
The tips to consider when evaluating a service provider include:
- Consider the service provider’s cybersecurity standards, practices, policies and results, and compare these to standards adopted by other service providers in the industry.
- Look for a service provider that follows a “recognized standard” for information security and that uses a third-party auditor to review and validate its cybersecurity practices.
- Ask the service provider how it validates its cybersecurity practices and levels of security standards it has met and implemented.
- Evaluate the service provider’s track record. How has it handled past security breaches?
- Consider whether the service provider carries any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (for both internal and external threats).
Observation. These tips could be helpful, and highlight what many plan administrators already consider when evaluating and hiring service providers. However, as we have seen, adhering to these tips and suggestions may reduce the likelihood or severity of data breaches, but they are not a guarantee against cybersecurity issues.
“Cybersecurity Program Best Practices” (for Service Providers)
The DOL also issued a number of best practices for use by plan recordkeepers and other service providers that are responsible for plan data. The best practices include having a formal, well documented cybersecurity program, conducting annual risk assessments and third party audits of security controls, conducting periodic cybersecurity awareness training and appropriately responding to any past cybersecurity incidents. The DOL has indicated that these items should be reviewed and considered by the plan fiduciaries when evaluating whether to hire a service provider.
Observation. When reviewing a service provider’s cybersecurity program and internal controls, plan administrators may want to consider involving individuals from the IT department or an outside security consultant to ensure that explanations provided by the vendor align with these best practices.
“Online Security Tips” (for Participants)
The DOL guidance illustrates that it is not solely up to plan fiduciaries and plan service providers to take the necessary steps to secure plan data. Plan participants also play a vital role in reducing the risk of fraud and retirement plan account losses resulting from cyber-attacks. The third part of the DOL guidance provides online security tips for participants, including the use of unique passwords, two-factor authorization, regularly monitoring plan accounts, being cautious of phishing attacks and making sure that antivirus software is current. The guidance does not currently suggest that plan fiduciaries or service providers should periodically provide online security tips to participants.
Observation. Plan administrators and recordkeepers may want to consider reviewing and updating summary plan descriptions, enrollment materials and other annual participant-facing notices to incorporate some of these security tips so that participants are on notice of the steps that they can take to reduce the risk of fraud and retirement account losses resulting from a the unauthorized access of their retirement account.
This informal guidance illustrates that protecting against data breaches is complicated and not an all-or-nothing proposition. A plan administrator could follow every tip outlined by the DOL when selecting a service provider, but if the participant compromises his or her own account password, the administrator’s efforts are moot. Thus, service providers, plan fiduciaries and participants should all take steps to protect against cybersecurity breaches.
Please contact your Seyfarth Employee Benefits Attorney with any questions you may have about this guidance and its application to your plan.