Retirement plans are increasingly subject to cybersecurity issues, and the U.S. Department of Labor (DOL) is taking notice. On April 14, 2021, the DOL published cybersecurity guidance “for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips” for hiring service providers and online security tips for participants. In recent years, DOL guidance that eased rules related to electronic communications to plan participants might have helped make participants more susceptible to phishing attempts that masquerade as official plan communications. Additionally a 2019 Internal Revenue Service hardship withdrawal rule allowed participants to electronically submit self-certifications for meeting hardship withdrawal requirements. Then, in 2020, the DOL finalized new electronic disclosure rules for retirement plans. The DOL now appears to be attempting to strike a balance between increased electronic communication and cybersecurity measures.
Litigation arising under the Employee Retirement Income Security Act of 1974 involving cybersecurity threats has highlighted a plan administrator’s duty to prudently select and monitor service providers. While this is an area with only limited litigation to date, employers so far have fared well, with cases frequently dismissed. In a February 8, 2021, order granting an employer’s motion to dismiss, the U.S. District Court for the Northern District of Illinois found that the employer could not have breached its duty to prudently select the recordkeeper, because all cybersecurity incidents occurred after the date that the employer initially hired the recordkeeper and prior to the recordkeeper’s rehire. The court concluded that cybersecurity incidents occurring prior to the recordkeeper’s contract renewal did not amount to making the recordkeeper an “objectively unreasonable” choice of provider. In evaluating these events, the court stated that they were “limited in size and scope, did not involve significant lapses in security protocols, and no client funds were stolen.”
Employers also can take comfort in a holding in recent class action litigation on the use of participant data, including names, contact information, and Social Security numbers. The court determined that such information, when held by plan fiduciaries, generally does not constitute an ERISA plan asset. This holding closes the door to several ERISA causes of action, such as prohibited transaction claims, concerning the use and transfer of participant information. In the case, the recordkeeper had allegedly used plan participants’ contact information to cross-sell other products to the participants, such as credit cards, individual retirement accounts, and life insurance. The plaintiffs had sought to pursue breach-of-fiduciary duty and prohibited transaction claims predicated on the use of plan participant information. In granting the dismissal, the U.S. District Court for the Southern District of Texas looked to the two regulations defining plan assets as participant contributions and plan investments, and found that neither made any reference to “data,” a conclusion supported by earlier precedent.
The DOL’s best practices guidance includes many specific action points. Several of the DOL’s recommendations are highlighted below.
- Create and maintain well-documented cybersecurity programs. The DOL advises plans and service providers to implement sound programs maintained by cybersecurity teams managed at the senior executive level (by chief information security officers, for example). The DOL’s guidance includes a recommendation that independent third-party auditors review such programs annually. The guidance also states that cybersecurity programs should address access controls, physical security, incident response, and cybersecurity training, as well as the technical aspects of data privacy: data backup, data disposal, systems operations, network security and monitoring, firewalls, intrusion detection, antivirus software, patch management, multi-factor authentication, and encryption.
- Conduct annual risk assessments and/or third-party audits. The DOL notes that risk assessments should identify weaknesses in existing systems and controls. In addition, assessments should analyze how well risks were identified and how effective the response was to any incidents in the previous year. The guidance also states that cybersecurity teams should update their programs to address any weaknesses identified and respond to changes in technology, data privacy regulations, and the nature of cybersecurity threats. These assessments can be outsourced to unbiased third-party auditors. The DOL advises employers to retain sufficient documentation of third-party audits and testing reports, files, and supporting documents, including records of any corrective measures taken in response to audit findings.
- Establish strong access controls. Access to plan participant data should be limited based on a “need-to-access principle.” The DOL recommends reviewing access privileges at least every three months, including disabling or deleting inactive accounts. Users with access to participant data should be required to use multi-factor authentication, including complex and unique passwords. A cybersecurity program should address the monitoring of authorized user activity.
- Require annual risk assessments for all third-party service providers (and their service providers). In the guidance, the DOL encourages plans to negotiate with all service providers, including cloud storage vendors, to require annual risk assessments or third-party security audits of any of their service providers that have access to participant data. All audit documentation should be provided to the plans as part of annual service-provider cybersecurity review processes. Plans’ cybersecurity teams should identify minimum protections that must be met by service providers.
- Maintain system development life cycle (SDLC) programs. An SDLC program should implement controls to confirm any participant requests for loans, withdrawals, and distributions. The DOL suggests that these controls may include sending alerts to participants via several methods of communication after any account information has been changed, requiring waiting periods before processing any account requests if information has recently been changed, and requiring several forms of validation for any large or multiple non-rollover distributions.
The DOL also published separate guidance regarding the prudent hiring of service providers, highlighting the importance of this duty for ERISA plan sponsors. Plan sponsors may wish to consider the following questions raised by the DOL’s guidance:
- How do the service provider’s information security standards and policies compare to those of other financial institutions? The DOL advises that the contract with the service provider should “require ongoing compliance with cybersecurity and information security standards.”
- Does the service provider receive annual third-party audits, and is it willing to share the audit reports with clients?
- Has the service provider had any publicly reported security incidents or legal proceedings related to cybersecurity?
- How has the service provider responded to past breaches, if any?
- Does the service provider carry insurance that covers losses caused by cybersecurity breaches? The DOL advises looking for a policy that protects against internal threats (such as employee or contractor misconduct) as well as external ones.
Due to the ever-evolving nature of cybercrime, the DOL’s guidance suggests that plan sponsors maintain cybersecurity policies with routine reviews and updates to keep up with technological changes. The DOL’s publication of the guidance may indicate that the agency will pay more attention to cybersecurity in future plan audits.