Developing a Prudent Process for Cybersecurity

As the Department of Labor (DOL) expands the Swiss Army knife of skills it expects a retirement plan fiduciary to have, it becomes more important than ever for fiduciaries to focus on having verifiable processes in place. 

We’ve previously said that having a verifiable administrative process can be helpful when the DOL investigates. In recent years, we have been helping plan fiduciaries who have been focused on developing bounty-hunter-like policies in response to the agency’s aggressive enforcement position on missing participants. As the DOL pivots to new areas of enforcement—such as cybersecurity—it will be important for plan fiduciaries to consider taking similar steps to help protect participant account balances, plan information technology systems and related information. While nobody could have anticipated in 1974 (when the Employee Retirement Income Security Act [ERISA] was enacted) that plan fiduciaries would be responsible for cybersecurity, here we are in 2021 with a department that seems to expect human resources (HR) professionals to moonlight as expert hackers.

Cybersecurity is the DOL’s latest plan sponsor investigation priority. This initiative appears to be the outgrowth of a series of cases that participants have brought against plan fiduciaries and plan service providers alleging that the fiduciaries should have done more to prevent the theft of their account balances by cybercriminals. This first wave of litigation is ongoing and has called into question what exactly a plan fiduciary should know about plan service providers’ abilities to prevent account takeovers.

As a result of this new spotlight, last year, the DOL began opening investigations of plans to determine whether they had implemented prudent cybersecurity policies. Similar to its missing participant initiative, only after starting to investigate did the department identify its expectations for plan fiduciaries. 

So what are plan fiduciaries to do? First, they might want to review the sub-regulatory guidance the DOL issued on April 14. Specifically, the agency issued “Tips for Hiring a Service Provider,” Cybersecurity Program Best Practices” and “Online Security Tips.”

In recent investigations, we have already seen investigators from multiple regions ask questions based on these “Tips” and ask plan fiduciaries to document how they and their service providers are complying. The DOL is making fairly standardized requests where plans are asked to request certain policies and procedures from service providers.

As a second step, plan fiduciaries might want to incorporate some or all of the items the DOL has identified in its “Cybersecurity Program Best Practices” into future service provider requests for proposals (RFPs).

A starting point for implementing these steps can be to inventory what cybersecurity practices are currently in place. To do this, we have seen and helped plan fiduciaries identify the information technology (IT) systems a plan relies on (from internal systems to identifying service providers that have their own systems—such as recordkeepers). This allows plan fiduciaries to document, or request help documenting, cybersecurity practices that are already in place. Doing that can put them in a better position to determine if current systems are adequate or if more should be done.

The DOL’s initiative into cybersecurity is in its infancy, and we expect many new investigations to be opened over the next few years. The best time to prepare is before you are investigated.

Beyond the investigation risk, the new sub-regulatory guidance provides a framework to use 2021 as the time to develop a process for documenting what service providers are doing to protect participant balances and other data cybercriminals are targeting. As this new initiative ramps up, plans that take steps to shore up cybersecurity practices now are likely to have better outcomes both in terms of avoiding participant losses and in terms of resource expenditure in investigations.

Allison Itami and Kevin Walsh are both principals at Groom Law Group, Chartered. Their practices encompass assisting plan fiduciaries with understanding their responsibilities and helping them develop processes and systems for meeting and documenting compliance. In addition to this prophylactic assistance, they and their colleagues at Groom Law Group defend plan fiduciaries and plan sponsors in Department of Labor investigations and fiduciary litigation. For more information visit www.groom.com.