A Deeper Dive into the DOL’s First-of-Its-Kind Cybersecurity Guidance

As noted in our recent blog post, the US Department of Labor (DOL) has repeatedly signaled that it would be turning its focus toward the intersection of cybersecurity practices and ERISA’s fiduciary duties. On April 14, 2021, the DOL stopped signaling and started acting, issuing three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers, and plan participants respectively.

While this subregulatory guidance does not have the deferential authority of a regulation subject to notice and comment—or arguably even the persuasive authority of an Advisory Opinion—the guidance provides a window into the DOL’s expectations of what ERISA’s prudence standards require with respect to cybersecurity matters. This window is particularly important given the specters of a threatened DOL enforcement initiative focusing on cybersecurity and privacy issues, increased private litigation arising out of cybersecurity events, and the general uptick in cybersecurity events affecting employee benefit plans.

Background

ERISA’s duty of prudence requires fiduciaries to act “with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” It has become generally accepted that ERISA fiduciaries have some responsibility to mitigate the plan’s exposure to cybersecurity events. But, prior to this guidance, it was not clear what the DOL considered to be prudent with respect to addressing cybersecurity risks associated, including those related to identity theft and fraudulent withdrawals.

New Guidance

Each of the three new pieces of guidance addresses a different audience. The first, Tips for Hiring a Service Provider with Strong Cybersecurity Practices (Tips for Hiring a Service Provider), provides guidance for plan fiduciaries when hiring a service provider, such as a recordkeeper, trustee, or other provider that has access to a plan’s nonpublic information. The second, Cybersecurity Program Best Practices (Cybersecurity Best Practices), is, as the name indicates, a collection of best practices for recordkeepers and other service providers, and may be viewed as a reference for plan fiduciaries when evaluating service providers’ cybersecurity practices. The third, Online Security Tips (Online Security Tips), contains online security advice for plan participants and beneficiaries. We have summarized each piece of guidance below along with our key observations.

Comments and Observations:

While the DOL characterizes the guidance for fiduciaries and service providers as “tips” and “best practices,” the DOL nevertheless included language indicating what an ERISA fiduciary or plan service provider should do. For example, Tips for Hiring a Service Provider states, “Plan Sponsors should use service providers that follow strong cybersecurity practices.” (emphasis added). Similarly, Cybersecurity Best Practices introduces its list of its 12 best practices as what “Plan’s service providers should” do (emphasis added). Although the guidance does not carry the authority of a regulation, there is risk that the DOL on audit (and for plaintiff’s lawyers in litigation) could seek to treat these best practices as mandates rather than helpful suggestions.

In light of this risk, plan fiduciaries could consider using the guidance to build or enhance a process to offset such risks, or bolster a compliance record in anticipation of such DOL investigations and private litigation.

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

The first piece of DOL guidance, Tips for Hiring Service Providers, outlines factors for “business owners and fiduciaries” to consider when selecting retirement plan service providers, and further provides that plan fiduciaries should hire service providers with strong data security practices.

More specifically, this guidance recommends steps that a plan fiduciary should take when hiring a service provider:

• Ask about the service provider’s data security standards, practices, and policies and audit results and benchmark those against industry standards
• Analyze the service provider’s security standards and security validation practices
• Confirm that the agreement with the service provider permits the plan fiduciary to review cybersecurity compliance audit results
• Evaluate the service provider’s track record in the industry (e.g., security incidents, litigation, etc.)
• Ask about past security events and responses
• Confirm that the service provider has adequate insurance covering losses relating to cybersecurity and identity theft events, including losses caused by internal threats (e.g., the service provider’s employees) and external threats (e.g., third party fraudulent access of participant accounts)
• Ensure that the services agreement between the plan fiduciary and the service provider includes provisions requiring ongoing compliance with cybersecurity standards

Comments and Observations:

Conspicuously absent from both Tips for Hiring a Service Provider and Cybersecurity Best Practice is a clear statement regarding a fiduciary’s obligations with respect to current service providers. However, it is reasonable to expect that the DOL on audit may assert that a plan fiduciary should have evaluated their current service providers and current agreements in light of this guidance. Thus, fiduciaries may want to consider evaluating current agreements to better understand the service provider’s obligations and sending questionnaires to service providers regarding their cybersecurity programs and exercising audit rights. A fiduciary may even consider approaching service providers to discuss amending the services agreement to address cybersecurity.

Regardless of whether the guidance applies only prospectively or to agreements already in place, plan fiduciaries could consider using the Tips for Hiring a Service Provider when preparing requests for information (RFI) and requests for proposal (RFP). Additionally, when entering into a new agreement, the plan fiduciary could engage in meaningful negotiations over the terms of the agreement implicated in this guidance (e.g., cybersecurity, protection and use of confidential data, insurance coverage, etc.).

Cybersecurity Program Best Practices

The second piece of DOL guidance, Cybersecurity Best Practices, directed squarely at ERISA plan recordkeepers and other service providers who have access to plan-related IT systems and plan data, is the most detailed of the three pieces of subregulatory cybersecurity guidance. The guidance summarizes 12 “best practices” that plan service providers “should” implement to mitigate exposure to cybersecurity risks. Although this guidance is specific to service providers, the DOL points out that plan fiduciaries should be aware of these best practices to enable them to make prudent decisions when hiring a service provider. The 12 best practices described in this guidance indicate that:

1. service providers should have a formal, well-documented cybersecurity program that consists of policies and procedures designed to protect the infrastructure, information systems and data from unauthorized access and other malicious acts by enabling the service provider to (1) identify the risks, (2) protect the assets, (3) detect and respond to cybersecurity events, (4) recover from cybersecurity events, (5) appropriately disclose the event, and (6) restore normal operations.

Comments and Observations:

Plan fiduciaries issuing RFIs or RFPs, and those negotiating agreements with service providers, may use this guidance as a roadmap to determine the minimum standards to request as representations from their service providers. Similarly, service providers should anticipate their clients (and the DOL) to effectively treat these as minimum cybersecurity program standards.

2. service providers should design and codify annual risk assessments that help identify, estimate, and prioritize risks to the information systems.
3. service providers should have a third-party auditor assess the service provider’s security controls on an annual basis. The DOL indicated that as part of its review of an effective audit program, the DOL would expect to see, among other things, audit reports and audit files prepared and conducted in accordance with appropriate standards, penetration test reports, and documented correction of any weaknesses.

Comments and Observations:

Plan fiduciaries may wish to request that service providers share the results of the annual risk assessments and annual audit reports. If a service provider is unwilling (or unable) to provide these reports (and the service provider’s contract does not afford the plan fiduciary a right to these reports), the plan fiduciary could consider requesting confirmation that the annual risk assessment and annual audit were completed and that either no new significant risks were identified or any new significant risks have been properly evaluated and mitigated.

4. service providers should clearly define and assign information security roles and responsibilities, with management of the cybersecurity program at the senior executive level and execution of the cybersecurity program by qualified personal who have sufficient experience and certifications, undergo background checks, receive regular update and training on current cybersecurity risks and have current knowledge of changing threats and countermeasures.
5. service providers should have strong access control procedures, including limiting access to authorized users; limiting access privileges based on role and the “need-to-access” principle; establishing a policy to review access privileges every three months; requiring unique, complex passwords; using multifactor authentication wherever possible; establishing policies, procedures, and controls to monitor authorized users and detect unauthorized access; establishing procedures to ensure participant or beneficiary sensitive information in the service provider’s records matches the plan’s information; and confirming the identity of authorized fund recipients.
6. service providers should ensure that any cloud or third-party managed storage system used by the service provider to service the plan is subject to proper security reviews and independent security assessments.

Comments and Observations:

Plan fiduciaries are likely to find it difficult to monitor a service provider’s cybersecurity structural organization, control procedures, and oversight of cloud/third-party managed storage systems. After addressing these items as part of an RFI or RFP, plan fiduciaries might consider including these issues as part of an annual questionnaire that provides insight into the service provider’s ongoing compliance with the DOL’s best practices.

7. service providers should conduct periodic cybersecurity awareness training for all personnel pursuant to a comprehensive program that sets clear cybersecurity expectations and educates everyone to recognize sources of attack, help prevent incidents, and respond to threats. The DOL notably emphasized identity theft—individuals posing as plan officials, fiduciaries, participants, or beneficiaries— as a leading cause of fraudulent distributions that should be considered a key topic of training.

Comments and Observations:

The DOL’s emphasis on the risks posed by identity theft, coupled with recent high-profile litigation involving this issue, strongly incentivizes plan fiduciaries to ensure that their service providers have a strong policy of cybersecurity awareness training and to even confirm the subjects of that training (a level of interest that may not be well received by the service providers).

8. service providers should implement and manage a secure “system development life cycle” (SDLC) program addressing both in-house developed applications and externally developed applications and that includes activities such as penetration testing, code review and architecture analysis.
9. service providers should have an effective business resiliency program that addresses business continuity, disaster recovery, and incident response and allows for the organization to maintain continuous operations and safeguard people, assets, and data during periods of disruption.
10. service providers should implement current, prudent standards for the encryption of sensitive nonpublic information both while it is at rest and while in transit.
11. service providers should implement technical security controls consistent with best security practices, including hardware, software, and firmware that is kept up to date; firewalls and intrusion detection and prevention tools; current and updated antivirus software; routine patch management (preferably automated); network segregation, system hardening; and routine data backup (preferably automated).

Comments and Observations:

Some plan fiduciaries may find it difficult to understand and evaluate the technical aspects of a service provider’s SDLC programs, business resiliency programs, and security controls. As a result, plan fiduciaries may find value in having a technical expert—such as a member of the plan sponsor’s IT department—assist in reviewing these aspects of a service provider’s cybersecurity practices and documenting the review as part of the fiduciary’s minutes or other fiduciary records. Moreover, as part of the ongoing monitoring of a service provider, fiduciaries might consider including these items as part of an annual questionnaire to ensure continued compliance and to gain information on any enhancements or changes to the service provider’s programs.

12. service providers should respond appropriately to cybersecurity incidents that have occurred, including notifying law enforcement; notifying the appropriate insurer; investigating the incident; giving affected plans and participants information to prevent or mitigate harm; honoring contractual or legal obligations and fixing any problems that would prevent recurrence.

Comments and Observations:

Even where plan fiduciaries and the plan’s service providers take all reasonable steps to prevent cybersecurity events, they may nevertheless occur. What service providers do when these events occur is critical to mitigating the plan’s exposure to cybersecurity events. Plan fiduciaries should work to understand a service provider’s contractual obligations before the event and to ensure that all appropriate steps, as described in the guidance, are taken promptly in the event of a cybersecurity event.

Online Security Tips

The third piece of DOL guidance, Online Security Tips, inform plan participants and beneficiaries of ways to keep their online information and account safe. Some of the nine recommended security tips include the use of multifactor authentication, keeping contact information current, and avoiding phishing attacks. Plan fiduciaries could help mitigate the plan’s exposure to cybersecurity threats by encouraging participants and beneficiaries to follow these tips. This is especially true for the three tips highlighted in the foregoing sentence, which are particularly well-suited to limiting the risk of identity theft.

Comments and Observations:

While this guidance may not seem particularly important to plan fiduciaries at first, it can serve as a useful way to reiterate to plan participants and beneficiaries that they also have a responsibility to mitigate their exposure to cybersecurity events. Moreover, it may be helpful for plan fiduciaries to offer periodic educational and outreach on these responsibilities, and to reiterate to participants and beneficiaries during these target efforts (and in regular disclosures and communications, including the plan’s summary plan description) that the plan participants and beneficiaries bear responsibility for ensuring that they are taking precautions to secure their plan benefits from external threats.

Conclusion

The guidance issued on April 14, 2021 leaves open many questions. For example, how should plan fiduciaries and service providers address existing arrangements that do not comport with the guidance? Does the DOL believe that ERISA preempts state data privacy laws as they relate to ERISA benefit plans? Does the DOL expect fiduciaries to communicate the Online Security Tips to participants and beneficiaries, and, if so, how often? Nevertheless, it is a useful first step towards clarifying the DOL’s understanding of how ERISA’s duty of prudence applies to the world of cybersecurity.

As far as next steps are concerned, we encourage plan sponsors, fiduciaries, and service providers to consult the new guidance, enhance their existing data security protocols, and consider revisiting service provider agreements to better reflect the best practices set forth by the DOL. Please contact the authors or your Morgan Lewis contacts if you have any questions about this new guidance, the plan fiduciary’s duty of prudence, or what to do if (or when) a cybersecurity event affects your plan.

CONTACTS

Boston
Lisa Barton 

Chicago

Marla Kreindler
Dan Salemi
Julie Stapel

New York
Craig Bitman

Philadelphia
Bob Abramowitz
Amy Kelly
Gena Yoo

Pittsburgh
John Ferreira
Matt Hawes
Elizabeth Goldberg
Randall C. McGeorge
R. Randall Tracht

Washington, DC
Rosina Barker
Althea Day
Michael Gorman
Lindsay Jackson
Daniel Kleinman
Greg Needles
Michael Richman
Jonathan Zimmerman