Skip to main content
Article | Insider

DOL issues cybersecurity tips and best practices

Benefits Administration and Outsourcing Solutions|Health and Benefits|Retirement|Total Rewards
N/A

By Gary Chase , William (Bill) Kalten and Benjamin Lupin | May 11, 2021

Retirement plan sponsors and fiduciaries should anticipate that their cybersecurity practices will be subject to DOL scrutiny.

The DOL recently issued three pieces of guidance on cybersecurity best practices for employee benefit plan sponsors, fiduciaries, recordkeepers, participants and beneficiaries: (1) Tips for Hiring a Service Provider With Strong Cybersecurity Practices, (2) Cybersecurity Program Best Practices, and (3) Online Security Tips. This is the first time the DOL has issued comprehensive guidance specific to cybersecurity.

Retirement plan sponsors and fiduciaries should anticipate that their cybersecurity practices will be subject to DOL scrutiny. Significantly, the guidance formally states that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” And at a conference last October, a DOL official previewing the guidance indicated at that time that he expects to see more focus in the department’s investigations on the adequacy of various cybersecurity programs, especially for large plans in terms of making sure the providers they hire are observing good cybersecurity practices.

Background

In February 2021, the Government Accountability Office (GAO) released a report requested by Congress on steps the DOL could take to mitigate cybersecurity risks for defined contribution retirement plans. The report also recommended that the DOL 1) formally state that a plan fiduciary is responsible for mitigating cybersecurity risks, and 2) establish minimum expectations for addressing those risks.

In response, the DOL released three pieces of non-binding guidance, primarily directed toward retirement plans, which the DOL explains are prime targets for cybersecurity criminals due in part to the large amount of assets they hold (estimated to be approximately $3.8 trillion in 2018). Although potentially applicable to ERISA-covered health and welfare plans, many of the best practices overlap with the security standards for securing protected health information under the Health Information Portability and Accountability Act (HIPAA). Health plan sponsors may want to review both the DOL’s cybersecurity guidance and HIPAA when evaluating a service provider’s cybersecurity capabilities.

Tips for Hiring a Service Provider

The DOL’s Tips for Hiring a Service Provider are intended to help plan sponsors and fiduciaries meet their responsibilities under ERISA when selecting service providers that will handle plan records or participant data.

The tips include asking a vendor about the following during the selection process:

  • The vendor’s information security standards and other cybersecurity-related practices and policies (including whether an outside auditor reviews and validates cybersecurity), and how they compare with industry standards
  • How the vendor validates those practices, the level of security standards that have been met and implemented, and whether the contract will provide for the right to review audit results demonstrating compliance with the security standards
  • The vendor’s past experiences with cybersecurity incidents and security breaches
  • Whether the vendor has an insurance policy covering cybersecurity and identity theft (for internal and/or external threats)

These questions may also be helpful when reviewing the cybersecurity practices of an existing recordkeeper or vendor.

The DOL also suggests evaluating the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to the vendor’s services.

In addition, the tips include cybersecurity-related provisions that may be helpful to include or avoid in a vendor contract.

Cybersecurity Program Best Practices

The Cybersecurity Program Best Practices guidance provides detailed recommendations on 12 best practices for recordkeepers and service providers responsible for plan-related IT systems and data. These should also be used by plan fiduciaries when deciding which service providers to hire, and they may be helpful for plans that maintain their own plan administration systems, plan records or data.

The recommendations cover such topics as establishing and documenting a cybersecurity program, conducting risk assessments and audits, providing training, using encryption for sensitive data and responding to cybersecurity incidents.

It is important to note that the DOL also includes a list of items it would “expect to see” in an effective audit program, a signal that the DOL might cover cybersecurity issues in its audits.

Finally, this document is noteworthy for the DOL’s statement (without providing any background or explanation) that fiduciaries are responsible for overseeing efforts to mitigate cybersecurity risks. The DOL also signals that cybersecurity could be covered during DOL audits.

Online Security Tips

The final piece of guidance is a list of best practices intended to help plan participants and beneficiaries protect their retirement accounts; however, the Online Security Tips are broad enough that they can apply to a range of online activities. Tips include suggestions for setting up, monitoring and securing online accounts; recommendations for avoiding phishing attacks; and links for reporting identity theft and cybersecurity incidents.

Going forward

Plan sponsors and fiduciaries should review the DOL’s tips and best practices to better manage cybersecurity and DOL audit risks and consider using them when:

  • Selecting a new recordkeeper or other service provider and during the contracting process, to help evaluate vendor cybersecurity practices
  • Evaluating existing vendors and renewing contracts, since fiduciary responsibility includes oversight and monitoring of existing vendors
  • Evaluating current IT security programs, for plans that handle IT systems and data internally

Although not required, plans should also consider providing participants and beneficiaries with a copy of the Online Security Tips. Note that the Online Security Tips are not subject to ERISA’s distribution requirements, so the notice may be shared through any preferred method (e.g., on the sponsor’s intranet, in an employee newsletter or via email).

Download
Title File Type File Size
Insider May 2021 PDF .3 MB
Authors

Director, Retirement and Executive Compensation

Senior Director, Retirement and Executive Compensation

Senior Regulatory Advisor, Health and Benefits

Contact Us