On April 14, 2021, the Department of Labor (DOL) released guidance that provides best practices for ERISA plan fiduciaries and service providers to protect plan participants from cybersecurity threats. The guidance acknowledges that ERISA-covered plans often maintain millions of dollars in assets and personal data on plan participants, which can make them a target for cyber-criminals. Though the guidance is primarily aimed at 401(k) and pension plans, the same tips apply to the cybersecurity of ERISA health and welfare plans.
Most importantly, the DOL guidance indicates that plan fiduciaries (including employers) have an obligation to ensure the proper mitigation of cybersecurity risks for their ERISA plans. Given the recent uptick in cybersecurity attacks, employers should review and implement the DOL guidance to fulfill their obligations and ensure that their plan participants are adequately protected.
DOL Guidance
The DOL guidance consists of the following:
- Cybersecurity Program Best Practices: Best practices for recordkeepers and other service providers who are responsible for plan-related IT systems and data and for plan fiduciaries making prudent decisions on whether to hire certain service providers.
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices: Tips for plan sponsors to prudently select and monitor service providers that follow strong security practices.
- Cybersecurity Tips for Participants: Best practices for plan participants to reduce the risk of fraud.
Impact on Employers
The DOL recognizes that employers often rely on service providers to administer their plans, maintain plan records, keep participant data confidential, and plan accounts secure. If an employer’s service provider is the victim of a cybersecurity attack, plan participants’ personal information and assets can be exploited. The DOL states that employers must ensure the proper mitigation of cybersecurity risks for their ERISA plans and that they have a responsibility under ERISA to prudently select and monitor their plans’ service providers. As such, employers should ensure their service providers follow strong cybersecurity practices.
To ensure a service provider is following adequate cybersecurity practices, the DOL provides employers with best practices to follow when choosing and contracting with a service provider, as outlined below:
- To determine whether a service provider follows strong cybersecurity practices, employers should do the following:
- Ask about the service provider’s information security standards, practices, policies, and audit results and compare them to industry standards. Employers should look for providers that follow a recognized standard for information security and use an outside auditor to review and validate cybersecurity;
- Ask the service provider how it validates its practices and what levels of security standards it has met and implemented;
- Evaluate the service provider’s track record in the industry, including information on security incidents, litigation, and other legal proceedings related to the provider’s services;
- Ask whether the service provider experienced past security breaches, what happened, and how the service provider responded;
- Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats).
- When entering into contracts with service providers, employers may want to include and be aware of the following provisions:
- Require the service provider to be compliant with cybersecurity and information security standards on an ongoing basis;
- Beware of provisions that limit the service provider’s responsibility for IT and security breaches;
- Require the service provider to annually obtain a 3rd party audit to determine compliance with information security and procedures;
- Clearly spell out the service provider’s obligation to keep information private, prevent the use or disclosure of information without written permission, and meet a strong standard of care to protect confidential information;
- Outline how quickly the employer will be notified of any cybersecurity incident or data breach;
- Require the service provider’s cooperation when investigating and addressing the cause of any breach;
- Specify the service provider’s obligation to meet federal, state, and local laws pertaining to privacy, confidentiality, and security of plan participants’ personal information; and
- Require the service provider to have insurance coverage, such as professional liability, cyber liability, and privacy breach insurance.
Employers should document how they conducted due diligence regarding cybersecurity protections when selecting and maintaining service providers to demonstrate they complied with their obligation to ensure the proper mitigation of cybersecurity risks for their ERISA plans.
Employer Action
The release of the cybersecurity guidance signals that the DOL has made cybersecurity enforcement a priority. Employers should be aware of their fiduciary duty to ensure the proper mitigation of cybersecurity risks for their ERISA plans and should diligently vet their service providers, include cybersecurity protections in provider contracts, and monitor providers for compliance using the tips and best practices laid out in the DOL guidance. Employers should undergo this analysis with respect to any service provider that handles plan participant information or data, including third-party administrators and program vendors.