Cybersecurity and ERISA
On April 14, the Department of Labor (DOL) issued a cybersecurity guidance package directed at sponsors of, and service providers to, plans regulated under the Employee Retirement Income Security Act (ERISA). This is the first such guidance the department has issued, and advisers should expect clients to inquire about how to comply with it. Also, advisers may view the issuance of the guidance as an opportunity to consult with their clients on this highly technical compliance matter.
The DOL presented the guidance package in three separate documents: “Tips for Hiring a Service Provider With Strong Cybersecurity Practices,” “Cybersecurity Program Best Practices” and “Online Security Tips.” The first two publications address, respectively, what plan fiduciaries and plan service providers should consider in evaluating plan-related cybersecurity policies and procedures. The third guidance informs plan participants what steps they can take to protect their plan benefits from cybertheft. Importantly, the DOL states that responsible plan fiduciaries have a duty under ERISA to mitigate their plan’s cybersecurity risks.
The three documents are written as tips and best practices. However, the DOL’s Employee Benefits Security Administration (EBSA) Office of Enforcement (OE) has been using the guidance as a tool in its investigations. Since April, some regional offices have sent information document requests (IDRs) to plan sponsors in order to secure information about their plan’s, and its service providers’, cybersecurity practices. The IDRs clearly track the guidance, as do DOL investigators’ questions in OE interviews of plan sponsors. Whether the DOL will take any action on the information it gleans from such investigations remains to be seen. However, at a minimum, the agency has put plan fiduciaries and service providers on notice that it expects them to focus on cybersecurity policies and procedures.
Given the issuance of the guidance and recent DOL enforcement activity, fiduciaries and service providers should evaluate the relevant cybersecurity policies and procedures accordingly. Plan fiduciaries can use the “Hiring a Service Provider …” publication to identify how to evaluate: 1) a service provider’s cybersecurity practices, and 2) certain cybersecurity-related provisions in their contracts with service providers.
The guidance focuses on evaluating service providers that a plan fiduciary might hire. Yet, given that DOL investigations likely will ask how the fiduciary has been addressing cybersecurity risk, and given recent ERISA breach of fiduciary duty lawsuits brought by participants whose account balances were stolen, plan fiduciaries also should consider evaluating their current service providers.
Additionally, fiduciaries should consider sharing ”Online Security Tips” with their employees. The guidance provides some excellent information on how individuals can take steps to protect their retirement benefits from cybercriminals. Further, sharing the tips may help demonstrate procedural prudence on the part of the fiduciary.
Service providers likely would benefit from assessing their policies and procedures in light of both the hiring a service provider and the program best practices guidance. Many providers will likely receive inquiries from plan fiduciaries along the lines of what the DOL states in the hiring a service provider guidance, and thus will benefit from preparing for such inquiries in advance.
The program best practices guidance offers a good overview of what the DOL sees as effective cybersecurity practices. Many service providers have taken significant steps to protect themselves and their clients from cybercrime. However, in reviewing the guidance, providers can learn where in particular the DOL, or their clients, have concerns.
In summary, the DOL’s cybersecurity guidance is the first effort the department has made to establish that plan fiduciaries have certain fiduciary duties in connection with cybersecurity and protecting plan participants and their employee benefits. Notably, this duty extends to all employee benefit plans, not just retirement benefits. Plan fiduciaries and their providers would do well to carefully review and consider the application of the guidance. Also, they shouldn’t be surprised if the DOL provides further instruction, possibly in the form of regulatory or sub-regulatory guidance, about cybersecurity, in the not too distant future.
David Kaleda is a principal in the fiduciary responsibility practice group at Groom Law Group, Chartered, in Washington, D.C. He has an extensive background in the financial services sector. His range of experience includes handling fiduciary matters affecting investment managers, advisers, broker/dealers, insurers, banks and service providers.