DOL’s Khawar Says ‘Partnership’ Needed to Combat Cyber Risks

The principal deputy assistant secretary for EBSA discusses how plan fiduciaries have been using DOL best practice guidance, and why health care may be next.

Art by Karlotta Freier


The U.S. Department of Labor issued cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants back in April 2021. It was the first time the DOL’s Employee Benefits Security Administration had issued a notice on cybersecurity, and it has since become an industry standard.

The five-page best practices document is a relatively straightforward and practical guide for protecting American’s more than $9 trillion in retirement assets. But as a recent breach of plan-related data that exposed participant information showed, the guidance remains crucial in a fast-evolving criminal industry targeting personal information.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

The guidance was not designed to target any single group within the large ecosystem of employer retirement plan services, but to remind everyone involved that they have a role to play, says Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration.

“We know of situations where everyone is looking at each other and saying, ‘Well, why didn’t they do more?’ And everyone’s kind of pointing the figure at each other,” he says. “I think everybody knows how those situations go: They happen. That was what we wanted to avoid.”

Khawar recently spoke with PLANADVISER about developments and EBSA focus areas for cybersecurity. The interview was edited for length.

PLANADVISER: EBSA’s cybersecurity guidance has now been in use for more than two years. How has the response been, and what has developed from it?

KHAWAR: A big part of the impetus [in issuing the guidance] was just making sure that everyone understands that when it comes to these issues, that it’s not solely the private sector’s responsibility, but everyone has an important role to play.

We recognize that, depending on the plan sponsor, not all of them are going to have familiarity with cybersecurity issues. There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case. But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution they’re working with is doing what they need to be doing.

Even though it’s fair to say that not every stakeholder has a ticker-tape parade when we issue guidance, I think it’s fair to say that it has generally been well received. … It’s kind of helpful to have the government there; but it’s something that I view as a bit more of a partnership than a lot of other issues that we work on.

PLANADVISER: Can you tell me how this has played out on the ground? Has there been more cybersecurity auditing by the DOL or other regulators?

KHAWAR: On a routine basis, when we’re looking at retirement plans, folks should expect that we’re going to be asking some questions about cybersecurity. That doesn’t make every investigation a detailed cybersecurity investigation. But we might ask someone to describe the process by which they hire a service provider or how they’re monitoring their service provider. … That doesn’t necessarily mean we’re pointing to the best practices and asking, ‘Have you done A, B, C and D?’ Because we issued them as best practices, if that’s what you’re doing and you’ve done the kinds of things that are highlighted in there, you’re probably thinking about things the right way, and from our standpoint, have probably satisfied your obligations.

Though it’s very important to stress that: In the same way that you can have a prudent investment process and still lose money on the [investment] you select at the end, you can have a robust cybersecurity process and still have a breach. This isn’t about having something that is impenetrable. Obviously, if someone has that, perfect. But we are at the stage right now where we are making sure that there’s no sloppy mistakes, right? If there’s a known vulnerability, it’s making sure [a plan sponsor is] not waiting weeks or months or years to address the issue.

PLANADVISER: Advisers will often ask how it’s possible for mid- or smaller-tier plan sponsors to manage best practices around cybersecurity—or a number of other retirement compliance areas, for that matter. What would you say to those fiduciaries or firms that are smaller and juggling many items at once?

KHAWAR: One point of our elevating and highlighting these things is to make sure that [small plan sponsors] are paying attention to it. The part we’re focused on is the employee benefit plan. But it’s also true that it redounds to the benefit of their business as well, because their business may also be subject to a ransomware attack, in particular. The fact that they are paying more attention to cybersecurity is not exclusively a good thing from an ERISA perspective.

Part of what we have done is to make it easy for them. That is, when you think of the kind of thing we’re talking about in our tips and our best practices, the goal is not, ‘Do you know what SOCKS is?’ There’s not a quiz. … It comes back to the same context that you have for a lot of fiduciary interactions: It’s a question of, ‘Are you the educated kind of student consumer?’, so to speak. In the same way that if you were using any other service for your business, you would ask questions.

One thing that I’ve heard, including from the small business universe, is that they have literally printed out those best practices and said, ‘OK, we’re in the process of hiring a service provider, please fill this out. And then just give me a written answer.’ It’s a pretty simple way that people can do it, and they don’t have to have a high level of expertise.

PLANADVISER: There was a major breach that hit the retirement plan space recently, and there will likely be more in the future. What do those larger cases do, generally, for your focus and view of cybersecurity needs?

KHAWAR: We were just talking about small employers. But this is not limited to the small employer universe. There are large institutions that I think have benefited from paying more attention to their cybersecurity practices. … One of the questions I think you can always ask yourself when it happens is, ‘What parts of it were preventable?’ and thinking about it—and this is especially true for the service providers—both on a prospective and retrospective basis.

It’s important to approach some of these issues with an open-mindedness. The priority really shouldn’t be, ‘How can we make sure to tell everyone that our process is perfect?’ But if you’re holding ERISA money, the primary job you have is to keep that money safe. If your focus is on justifying after the fact something that maybe was a mistake, instead of fixing the mistake, that’s not where we want people to be.

The criminal element is always evolving. That phenomenon is kind of on steroids when it comes to cybersecurity. The thing that someone did 10 years ago is not the cutting-edge thing of tomorrow. … You really need to have a mindset that [criminal activity] is open to evolution, and taking that critical eye to it is one of the important things.

PLANADVISER: Do you plan to issue more guidance in the future?

KHAWAR: When we issued our best practices in April of ‘21, it was framed very much in the retirement plan context. At the time, we wanted to make sure that we had thought through whether there were distinctions between retirement plans and other plans—health plans—but also other welfare plans that are covered by ERISA. We didn’t think anything in the guidance conflicted with what our obligations would be. But the question was, given when you’re talking about health data, for example, there’s other federal privacy requirements. … To what extent do those add on extra things that we might want to highlight?

We asked our ERISA Advisory Council to look at that question. Their conclusion was that while there may be additional requirements that are imposed on fiduciaries of health plans, that … the [cybersecurity] best practices are just as applicable.

One of the things that more recently I’ve started hearing is that because even though we have subsequently said, ‘If you’re complying with it in the context of a retirement plan or a health plan or any other plan, you’re in good shape.’ Right? These are principles that you should be taking seriously. But when some sponsors have asked their service providers kind of the same questions in the context of a health plan and pointed to the Department of Labor [issuance], the answer that they’ve been given is, ‘Well, that’s just about retirement plans.’

That’s something that we’re looking at how we can best address. I think there will be something coming out at some point on that to, again, give something that people can look at in writing and point to.

«