If You Have An ERISA Plan, You Need To Think About Cybersecurity

Earlier this month, in response to a recent federal report recommending guidance to eliminate cybersecurity risks to retirement plans, plan participant data, and plan assets, the Employee Benefits Security Administration division of the DOL (“EBSA”) published cybersecurity guidance for ERISA-covered retirement plans. The guidance addresses best practices for plan service providers as it provides tips to both plan sponsors and plan participants.  The guidance specifically mentions retirement and pension and that it applies to all plans that are governed by ERISA.  Accordingly, ERISA governed health and welfare benefit plans should also follow EBSA’s guidance.

ERISA governed plans are increasingly targets of cyber threats due to the amount of plan assets held by any one plan.  This guidance emphasizes that the DOL believes that plans must be protected. In addition, courts have recently issued rulings that found plan participant data can be considered a plan asset.  This means that fiduciaries must exercise their duty of prudence to safeguard participant data as if it was actual plan funds.

Given an increasingly remote workforce for many plan sponsors, this new guidance is especially timely.  If you are a plan fiduciary and do not have a cybersecurity policy for your plan, now it the time to do so.  If you already have a cybersecurity policy, now is the time to review and update it in light of this new guidance.

In the guidance, EBSA states what it believes are “best practices” for all ERISA service providers. These best practices provide that a service provider should do the following:

  • Develop, document and regularly monitor and update a formal cybersecurity program
  • Conduct prudent annual risk assessments
  • Have a reliable annual third party audit of security controls
  • Clearly define and assign information security roles and responsibilities
  • Have strong access control procedures
  • Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessment
  • Conduct regular cybersecurity awareness training
  • Implement and manage a secure system development life cycle program
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response
  • Encrypt sensitive data, stored and in transit
  • Implement strong technical controls in accordance with best security practice
  • Appropriately respond to any past cybersecurity incidents
  • Follow tips for hiring a service provider with strong cybersecurity practices.
  • Educate participants with respect to online security.

Many of the above recommendations are very similar to those found in HIPAA for protecting health data.  As plan sponsors evaluate their service providers and their own internal practices, this guidance should be top of mind.  Future RFPs should, at a minimum, request information about the twelve EBSA “best practices.”  The DOL also stated that plan sponsors should consider this guidance when negotiating with their service providers.  Emphasis on the sharing and storing of information and other items addressed in particular should be a focus in future contracts.

With this guidance, the DOL has confirmed that cybersecurity is a fiduciary obligation for plan sponsors.  As such, fiduciaries must take reasonable and prudent steps to protect their plans and related participant data.  If you have any questions about how to protect your plan or how to implement the DOL’s guidance, please contact any of Graydon’s employee benefits team.