In today’s world, cybersecurity and data privacy are growing concerns for employers and organizations of all sizes. There are a number of state, federal, and international data privacy laws that could apply to your organization, but now the Department of Labor (“DOL”) has stepped in and provided guidance that will force plan sponsors and plan service providers to take data privacy more seriously in order to protect plan assets and participant data. In the midst of speculation over the last few years regarding participant data as “plan assets,” the DOL announced guidance last week relating to cybersecurity best practices and tips for protecting both ERISA plan assets and participant data. It is the first time the DOL has issued cybersecurity guidance, and the DOL has made clear that plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. Although plan sponsors and service providers have been dealing with HIPAA compliance for many years due to its direct application to group health plans, considering data privacy for all retirement plans may be a fairly new concept for many. This client alert provides a brief summary of the guidance, which will serve to help plan sponsors and fiduciaries in fulfilling their obligations to a plan and its participants.
Cybersecurity Program Best Practices
Plan sponsors, plan fiduciaries, recordkeepers, and plan participants must take appropriate precautions to mitigate the growing risk of cybersecurity threats to plan assets and participant information. The DOL best practices include that a service provider:
- Have a formal, well documented cybersecurity program;
- Conduct prudent annual risk assessments;
- Conduct a reliable annual third party audit of security controls;
- Clearly define and assign information security roles and responsibilities;
- Implement strong access control procedures;
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments;
- Conduct periodic cybersecurity awareness training;
- Implement and manage a secure system development life cycle (SDLC) program;
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- Encrypt sensitive data (stored and in transit);
- Implement strong technical controls in accordance with best security practices; and
- Appropriately respond to any past cybersecurity incidents.
The guidance includes specific details for each suggested best practice, including the DOL’s suggested elements of a “sound cybersecurity program.” Plan fiduciaries must incorporate these considerations when making prudent decisions on retaining service providers. McGrath North can assist plan sponsors in implementing each of the best practices.
Tips for Hiring a Service Provider
Additionally, selecting a plan service provider is an important fiduciary function for plan sponsors. The guidance includes a number of tips for prudently selecting and monitoring service providers to reduce the risk of a security breach. For example, plan sponsors should request information about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other similar institutions. Plan sponsors should also evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the services being provided. Investigating past security breaches experienced by the service provider or its vendors is also an important step, regardless of whether the service provider is a new or existing provider to the plan.
Plan sponsors should take a detailed look at each of its service provider contracts in order to ensure it has appropriate data privacy, breach reporting, incident response, mitigation, audit, insurance, indemnification, and liability provisions to adequately protect both plan participants and the plan itself. McGrath North has in-depth experience reviewing, negotiating, and drafting these contracts for its clients.
Online Security Tips
The DOL also provided security tips for plan participants to reduce the risk of fraud and loss to their individual accounts. To reduce the risk of fraud and loss to a retirement account, the DOL recommends that plan participants routinely monitor their online account, use strong and unique passwords, use multifactor authentication, and other protection techniques. It is advisable that plan participants review the DOL’s security tips to protect themselves from risk of a cybersecurity breach.
Cybercrime poses a significant threat to plan assets and sensitive participant information. Particularly, in light of increased reliance on remote work and virtual account management as a result of the COVID-19 pandemic, the new DOL guidance provides an opportunity for plan sponsors and administrators to review their contracts and protection protocols for vulnerabilities and areas for improvement. If you have questions about the new DOL cybersecurity guidance, implementation, how to protect the plan from risk of a breach, or reviewing and negotiating your service provider contracts, please reach out to Caroline Nelsen at email@example.com or 402-633-9575.