The DOL’s Cybersecurity Guidance in Practice

Experts share insights about implementing the guidance and warn that plan sponsors can expect investigations from the agency now that there are guidelines.

The Department of Labor (DOL) released its first-ever cybersecurity guidance for Employee Retirement Income Security Act (ERISA) plans last month.

The guidance included three parts:

  • tips for hiring a service provider with strong cybersecurity practices;
  • cybersecurity program best practices; and
  • online security tips for participants.

There’s not much new information in the DOL guidance from what had already been suggested by experts; it has issued common sense best practices that reflect the state of the industry, says Andrew Elbon, a partner with law firm Bradley.

“What’s new is that the DOL has laid out in a thorough manner what it would expect plan fiduciaries to be looking for,” he says. “The DOL is saying, ‘This is a fiduciary issue and here’s a road map.’”

Matthew Hawes, a partner at Morgan, Lewis & Bockius LLP, agrees that the guidance is a clear indication that the DOL thinks cybersecurity is a fiduciary responsibility. Both plan sponsors and providers have a responsibility to be proactive with respect to the privacy and cybersecurity of plan and participant information, he says.

Elizabeth Goldberg, also a partner at Morgan, Lewis & Bockius LLP, says, along with issuing the guidance, DOL officials have made statements about conducting investigations related to cybersecurity. “In addition to the risk of having participant assets stolen and being sued, now there’s a potential for DOL investigations,” she says.

The guidance provides a level of detail not often seen from the DOL when it comes to plan processes, Hawes notes. He says the DOL’s recent guidance on missing participants also provided details about processes. “Perhaps it is a new approach the DOL is taking when it comes to providing guidance,” he says.

Goldberg echoes the fact that the DOL guidance “gets pretty granular about what it considers to be best practices.” She notes that the “best practices” part of the guidance doesn’t just inform providers what they should do, but it also tells plan sponsors what they should be doing.

“Even without this, the threat of litigation would signal that this is something plan sponsor fiduciaries should consider, even if it is unresolved in courts,” Goldberg says.

Implementation of the Guidance

Elbon says he expects plan sponsors seeking providers will issue a request for proposals (RFP) that includes the questions the DOL suggests. He says he imagines the issuance of an RFP would be a one-time thing, but it makes sense to expect current service providers to provide some kind of annual checkup to show how they are continuing to satisfy cybersecurity best practices and to communicate any changes they’ve made. Plan sponsors should also expect a report of incidents.

However, Hawes notes that the cybersecurity guidance is sub-regulatory; it was not afforded the notice and comment period involved in regulations and doesn’t necessarily reflect the views and input of all stakeholders. This may affect plan sponsors. For example, the DOL guidance says plan sponsors should ask providers to make available self-audit results, but providers might not want to do so because it could provide an avenue for bad actors to figure out ways to exploit their cybersecurity systems.

Goldberg says that provider resistance is one practical challenge plan sponsors could face when trying to implement the guidance. The DOL doesn’t address what plan sponsors should do in that case.

Hawes says there’s also a risk that the guidance becomes viewed by potential litigants and the DOL as a minimum standard.

“It’s hard to be certain that sponsors and providers can comply with all of them,” he says. “I’m not saying we want the DOL to say what to do if a provider doesn’t deliver information. It would be nice for the DOL to say these factors are considerations in the selection and retention of providers and no one is greater than any other when making decisions.”

“To the extent a plan sponsor is doing anything in-house that involves the storage or transmission of ERISA plan and participant data, it should have a person or team, if it doesn’t have an IT [information technology] department, dedicated to ensuring cybersecurity,” Elbon says. “This is for all ERISA plans, not just retirement plans, but also health plans.”

Elbon says there is a good chance that some plan sponsors are handling data and are not just relying on service providers for the storage or transmission of data. These sponsors should look at their cybersecurity practices and consider whether they want to keep being responsible for handling data, he suggests. If they continue to take on that responsibility, plan sponsors should consider what they need to change to better protect data and respond to incidents.

“I do a lot of work with HIPAA [the Health Insurance Portability and Accountability Act], and one rule of thumb I’ve tried to convey is if a plan sponsor is in the business of holding on to participant data, it should probably get out of it and rely on service providers that are better equipped to handle cybersecurity,” Elbon says. “Maybe one of the side effects of the [DOL] guidance is giving plan sponsors the impetus to do that. They now have a nice set of guidelines to rely on for evaluating and selecting service providers based on this issue.”

To the extent that plan sponsors have exposure, Elbon says it makes sense that their corporate insurance policies should have cybersecurity provisions.

Plan sponsors should share the DOL’s online security tips with plan participants, he adds. Elbon says plan service providers can communicate the tips as well.

The DOL guidance shows that, in the agency’s view, plan participants bear some responsibility for protecting their accounts, Hawes notes. Communicating the online security tips to participants and documenting that they’ve done so will help plan sponsors defend themselves if a loss is somehow related to a participant’s failure to implement his own security precautions, he adds.

Goldberg notes that the DOL included language in its missing participant guidance that recognized specific factors such as cost must inform the application of best practices, but that wasn’t included in the cybersecurity guidance.

Another thing not spelled out in the guidance is which service providers are relevant, Goldberg says. “We can extrapolate that the key focus is on recordkeepers, but which others?” she asks. She also notes that the DOL did not address whether plan data is considered a plan asset—a question that is playing out in court cases.

“We know fiduciaries need to engage experts,” Hawes says. “This guidance has many technical aspects which might make it necessary to engage with IT to help with the evaluation of service providers.”

“I think this is a very positive development, offering very specific rules of the road to rely on,” Elbon says. “I see this as consistent with a prudent process to select service providers, just as plan sponsors need to have a prudent process to select investments. That is a fiduciary act. It doesn’t mean that if something goes awry, plan sponsors are at fault; it just ensures they do their due diligence.”