U.S. Department of Labor announces cybersecurity guidance for ERISA plans

On April 14, 2021, the U.S. Department of Labor (DOL), for the first time ever, released cybersecurity guidance for retirement plan sponsors, service providers, and participants. With approximately $9.3 trillion in retirement plan assets nationwide, it is important that retirement plan sponsors, trustees, and any other service providers with discretion or control over retirement plan assets (collectively, “fiduciaries”) review the DOL guidance and ensure that there are policies and controls in place to protect retirement plan assets from cyberattacks. Non-fiduciary service providers such as record-keepers and third-party administrators (TPAs) should also review the guidance and work with plan fiduciaries to ensure that there are policies and controls in place to protect retirement plan assets from cyberattacks. (The DOL also addresses steps participants can take to protect their retirement funds via its Online Security Tips.)

The recent cybersecurity guidance is found on the DOL’s website via the links below:

Tips for Hiring a Service Provider – When evaluating and retaining a plan service provider, fiduciaries are advised to:

    • Inquire about cybersecurity practices, policies, procedures;
    •  Request information regarding any security breaches;
    • Request that the service provider carry insurance against cyberattacks; and
    • Have ERISA counsel request specific contract language regarding cyberattacks.

Cybersecurity Program Best Practices – Cybersecurity best practices for fiduciaries include, but are not limited to the following:

    • Develop and document a cybersecurity program;
    • Conduct and evaluate random risk assessments;
    • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
    • Conduct periodic cybersecurity awareness training; and
    • Encrypt all sensitive data.

Online Security Tips  – The online security tips are primarily directed towards participants and offers password, encryption, and data privacy suggestions.

The DOL’s guidance “alerts” fiduciaries that cybersecurity-related policies, procedures, documentation and internal controls are components of their fiduciary obligation to protect retirement plan assets. Even though the guidance is informal, we anticipate that the DOL will inquire about cybersecurity procedures and internal controls during plan audits.

While cyberattacks will be a constant threat to the security of plan assets and preventing all cyberattacks is impossible, fiduciaries that maintain appropriate policies and procedures to prevent cyberattacks will likely be deemed to have satisfied their fiduciary obligations. Fiduciaries are not required to prevent 100% of cyberattacks, but they must show that the appropriate cybersecurity procedures and polices exist and are properly followed to successfully defend a breach of fiduciary duty claim.

Fiduciaries should work with their ERISA attorneys to review and evaluate plan cybersecurity procedures, evaluate service provider agreements to ensure TPAs and record-keepers have appropriate cybersecurity policies in place, and regularly conduct an internal review/audit of any cybersecurity procedures in place.

Saxton & Stump’s Employee Benefits and Executive Compensation team regularly assists plan sponsors, fiduciaries, record-keepers, trustees and participants in maintaining compliance with IRS and DOL rules and regulations. Attorney Sarah Ivy is available to discuss the latest DOL guidance or other retirement plan matters.