Formally wading into the cybersecurity discussion for the first time, on April 14, 2021, the U.S. Department of Labor (DOL) posted on its website a suite of new guidance, including Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries.

By way of background, cybersecurity has over the last decade become an area of critical importance to sponsors and administrators of employee benefit plans as well as plan participants.  Put simply, this is because plans (which the DOL estimates hold $9.3 trillion in assets) are a prime target of cyberthieves, given that they typically hold significant amounts of sensitive participant data, often permit electronic access to funds (think 401(k) distributions) and rely on outside service providers, who provide additional access points for breach.  This risk was only exacerbated by the COVID-19 shutdowns, where benefits personnel and their service providers quickly had to transition to working remotely and begin relying on electronic access more than ever before.

In the face of these cybersecurity challenges, many plan sponsors and administrators have considered ways to mitigate risk, both internally (e.g., through education of their benefits personnel and participants) and externally (principally through management of their service provider relationships).

In recent years, it has been suggested (including by the Government Accountability Office in a February 2021 report) that the DOL should provide its perspective on fiduciary responsibilities with respect to cybersecurity.  Until now, the DOL has been largely silent on these matters, but has now stepped into the discussion with the following three pieces of guidance aimed at three different audiences.

Cybersecurity Program Best Practices: This document contains a list of 12 best practices for use by recordkeepers and other plan service providers responsible for information technology and data.  This guidance provides fairly extensive detail for each of the 12 items, which range from a description of what the DOL expects to see in a formal, documented cybersecurity program to stressing the importance of annual internal risk assessments along with external audits of security controls.  The document also details the actions that should be taken in the event a cybersecurity breach or incident occurs.  While this document is principally aimed at controls for service providers, it would still be relevant for plans that maintain information technology systems in-house.  Even for plans that do not maintain in-house systems, the DOL indicated that these best practices are for use by plan fiduciaries in their vendor hiring decisions.  Notably, the DOL has a blanket statement in this document that “plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”

Tips for Hiring a Service Provider with Strong Cybersecurity Practices: The DOL then turned its focus directly to plan fiduciaries, issuing a document that provides some succinct suggestions for steps that plan sponsors and administrators might take with respect to diligence of, and contracting with, plan service providers. For example, the DOL guidance suggests the following steps:

  • Ask about the provider’s cybersecurity program and compare it to industry standards. As noted above, the DOL’s twelve Cybersecurity Program Best Practices can serve as useful guidance on the DOL’s view of what constitutes a sound cybersecurity program.
  • Seek providers that engage a third-party auditor to annually review and validate its cybersecurity program. The DOL further suggests that plan fiduciaries include a provision in the contract with the provider requiring that an annual third-party cybersecurity compliance audit be conducted.
  • Evaluate the provider’s track record in the industry by reviewing publicly available information about past security incidents and legal proceedings involving the provider.
  • Ask about past security breaches and how the provider responded.
  • Ask about the provider’s insurance policies that would cover losses caused by cybersecurity and identity theft breaches and consider requiring the provider to maintain professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.
  • Negotiate clear provisions in the contract regarding the provider’s obligation to keep private information private and meet a strong standard of care to protect confidential information.
  • The provider contract should require the provider’s ongoing compliance with internal cybersecurity and information security standards as well as compliance with records retention and destruction, privacy and information security laws.
  • Include in the provider contract how much time the provider has to provide notice to the fiduciary of a security breach and require that the provider investigate and reasonably address the cause of the breach. The DOL also states that plan fiduciaries should carefully review contract provisions that would limit the provider’s responsibility for cybersecurity breaches.

Online Security Tips for Participants and Beneficiaries:  Apparently recognizing that participants and beneficiaries represent a primary vulnerability from a cybersecurity perspective, the DOL provided these security tips for participants to consider in order to reduce the risk of fraud or cybertheft with respect to their benefits.  This list contains many predictable, but important, topics such as strong password use, phishing awareness, updating personal contact information and monitoring accounts.  While the DOL did not specifically suggest this, plan sponsors and administrators may wish to consider disseminating this guidance (or their own version of the guidance) to participants to improve their cybersecurity awareness and help avoid future crises.

The View from Proskauer

Given the threat that cybercrime poses to plans in the post-COVID world, it is an excellent time for plan sponsors and administrators to analyze their own vulnerabilities and establish an action plan to mitigate the risk of loss associated with data security breaches.  Vendor diligence and contracting is a critical – albeit not the sole – component of such an action plan.  The DOL’s guidance provides a helpful look into the DOL’s perspective on this issue and should be considered as a useful data point in the broader analysis.

*     *     *

Proskauer’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team is focused on supporting and addressing client concerns. Visit our Coronavirus Resource Center for guidance on risk management measures, practical steps businesses can take and resources to help manage ongoing operations.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Projansky Robert Projansky

Robert M. Projansky is a partner in the Employee Benefits & Executive Compensation Group and is currently a member of the Firm’s Executive Committee.

Rob has a broad practice advising both multiemployer and single employer clients on all issues related to the legal…

Robert M. Projansky is a partner in the Employee Benefits & Executive Compensation Group and is currently a member of the Firm’s Executive Committee.

Rob has a broad practice advising both multiemployer and single employer clients on all issues related to the legal compliance and tax-qualification of ERISA-covered pension and welfare plans. Rob’s clients include the largest and highest-profile U.S. media and entertainment industry clients, as well as a broad range of Fortune 500 companies.

In the multiemployer context, he serves as counsel to the boards of trustees of a number of large and small funds and frequently assists clients in addressing issues related to the funding of defined benefit pension plans, including zone status, benefit suspensions, special financial assistance and withdrawal liability. He also advises these clients on healthcare compliance, cybersecurity and government investigations. In addition, his practice includes advising corporate clients on their responsibilities related to multiemployer plans, with particular expertise on the impact of multiemployer and collectively bargained plans in corporate transactions.

Rob has extensive experience advising corporate clients regarding general compliance issues and fiduciary compliance matters, including plan asset and prohibited transaction issues. He also has addressed a myriad of issues related to complex plan investments, including negotiation of separately managed and collective investment vehicles for both traditional and alternative investments such as hedge funds, private equity funds and fund-of-funds vehicles.

Rob is described in Chambers USA as “incredibly smart and creative, and a really effective, zealous advocate” who “adroitly communicates complicated ERISA matters to clients in understandable language and well-timed levity.”  He is a widely sought after speaker on topics related to employee benefits, fiduciary, cybersecurity and government investigations and speaks each year at the annual conference and various other conferences sponsored by the International Foundation of Employee Benefit Plans, the largest educational organization in the employee benefits industry. Rob currently serves as one of the nine Advisory Directors on the Board of Directors of the International Foundation.

Photo of Steven Weinstein Steven Weinstein

Steven D. Weinstein is a partner in the Employee Benefits & Executive Compensation Group and co-head of the Strategic Corporate Planning Group. He has been practicing in the employee benefits field since 1984, representing clients sponsoring single employer and Taft-Hartley pension and welfare…

Steven D. Weinstein is a partner in the Employee Benefits & Executive Compensation Group and co-head of the Strategic Corporate Planning Group. He has been practicing in the employee benefits field since 1984, representing clients sponsoring single employer and Taft-Hartley pension and welfare plans.

Steven advises clients in all aspects of pension plan tax qualification and plan administration, including drafting of plan documents and employee communications; providing advice relating to corporate acquisitions and mergers; and negotiating investment management agreements, trust agreements, recordkeeping and custodial contracts, and other plan-related contracts.

In the tax-qualified plan area, Steven assists clients concerning the rules relating to discrimination testing, participation, vesting, cash or deferred arrangements, plan limitations and plan distributions. He also counsels clients regarding voluntary correction programs offered by the Internal Revenue Service and Department of Labor.

In addition, he counsels a wide array of clients on issues relating to fiduciary responsibility in connection with the administration and operation of employee benefit programs, particularly with respect to advice relating to the investment of plan assets. The latter advice includes the rules governing investment diversification, determination of plan assets, foreign indicia of ownership, prohibited transactions, and exclusive benefit and prudence. He also advises employers in connection with the implementation of all phases of reduction-in-force programs, including the drafting of severance plans and related documents, as well as employee communications required to effect these programs.

Steven has wide-ranging experience with health and welfare plans, particularly regarding the new rules issued under the Affordable Care Act (ACA). As a member of Proskauer’s interdisciplinary Health Care Reform Task Force, he assists clients and other Firm lawyers in preparing for the numerous changes resulting from ACA.

His experience is extensive in advising Fortune 500 companies with respect to the structure of their benefit plans and how such plans may be affected by corporate transactions. He also regularly counsels plan fiduciary committees as to best procedural practices to reduce potential exposure to fiduciary breach claims. His clients are most frequently in the manufacturing, financial services and entertainment sectors.

Steven has significant experience in assisting clients with the implementation and ongoing operation of non-qualified retirement plans and other types of executive compensation, including issues relating to ERISA coverage, and Section 409A and Section 457A compliance. He also advises clients in connection with executive employment agreements and change-in-control or severance arrangements.