In April 2021, the Department of Labor (DOL) issued best practices guidance on cybersecurity measures for ERISA retirement plans. Shortly thereafter the DOL began actively auditing plans for cybersecurity. The guidance establishes minimum requirements for addressing cybersecurity risk and was issued in three parts: (click link to DOL guidance)
- Cybersecurity Best Practices
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices
- Online Security Tips
The guidance is written as best practices for plan sponsors and service providers. The DOL, however, has made clear that: 1) cybersecurity is a fiduciary responsibility; 2) plan sponsors and providers have a duty to be proactive regarding the cybersecurity of plan and participant information; and 3) the DOL guidance establishes the minimum expectations for audit purposes.
The Best Practices and Tips for Hiring a Service Provider specifically include expectations that plans have a formal, well-documented cybersecurity program, conduct annual risk assessments, have a reliable annual third party audit of security controls, have strong access control procedures, encrypt sensitive data, and effectively respond to cybersecurity incidents. Plan fiduciaries also must take steps to ask about service provider’s cybersecurity measures and to evaluate those measures. Many of the cybersecurity protocols and measures included in the guidance may already be in place, but it is the responsibility of plan sponsors and providers to ensure their proper use and compliance.
The Online Security Tips provide common-sense methods for plan participants to reduce the risk of fraud or loss of retirement account information – – routinely monitoring accounts; using strong, unique passwords; using multi-factor authentication; being wary of free Wi-Fi; and using current antivirus software.
Plan sponsors and providers should also make every effort to comply with the guidance and prepare for possible DOL audits as soon as possible (see DOL Cybersecurity Audit document request list, below.). As already noted, the DOL did not waste any time in starting its audit initiative on this issue. Plans should consult with service providers to ensure the necessary records are maintained and that the various cybersecurity measures discussed in the guidance are in place. If a plan is audited and the plan administrator is unable to produce the requested documents, it will need to specify the reasons for non-production.
The DOL’s quick move to commence cybersecurity audits after issuing guidance is unusual and makes clear that implementation and monitoring of cybersecurity measures has to be a priority for both plan sponsors and providers. Should you have any questions regarding the new guidance, please do not hesitate to contact Ed Feibel, Anne O’Donovan, or Jack Bjorn in the Eaton Peabody Employee Benefits Practice Group.
DOL CYBERSECURITY DOCUMENT REQUESTS FOR AUDITS
- All policies, procedures, or guidance relating to:
- Data governance, classification, and disposal
- The implementation of access controls and identity management, including any use of multi-factor authentication
- The process for business continuity, disaster recovery, and incident response
- The assessment of security risks
- Data privacy
- Management of vendors and third party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties
- Cybersecurity awareness training
- Encryption to protect all sensitive information transmitted, stored, or in transit
- All documents and communications relating to any past cybersecurity incidents
- All security risk assessment reports
- All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses
- All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers
- All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis
- All documents describing security technical controls, including firewalls, antivirus software, and data backup
- All documents and communications from service providers relating to their cybersecurity capabilities and procedures
- All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data
- All documents and communications describing the permitted uses of data by the sponsor of the plan or by any service providers of the plan, including but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services
Plans should consult with service providers to ensure the above records are maintained and that the above cybersecurity measures are in place. If the DOL audits a plan, and the plan sponsor is unable to produce documents responsive to the list above, it will need to specify the requests and the reasons for non-production.