June 23, 2021 - The Guidance, which comes in the form of "tips" and "best practices," is primarily directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974, as amended (ERISA), as well as service providers and plan participants.

The Guidance does not have regulatory authority but does provide insight into the DOL's expectations with respect to cybersecurity. As such, it is likely to inform enforcement activity, litigation, and service provider contracting in the future.

While the Guidance is consistent with cybersecurity measures in existing federal and state laws, and other cybersecurity guidance, standards and best practices, it focuses on cybersecurity obligations in the context of ERISA's fiduciary obligations.

The Guidance recognizes that plan sponsors and other fiduciaries have an obligation to mitigate cybersecurity risks, including by prudently selecting and monitoring service providers with strong cybersecurity practices.

There are three parts to the Guidance: (1) Tips for hiring a service provider,1 (2) Cybersecurity program best practices,2 and (3) Online security tips.3

The first part of the Guidance sets forth tips for hiring a service provider with strong cybersecurity practices. The second part of the Guidance discusses cybersecurity best practices for recordkeepers and other service providers. The third and final part of the Guidance provides tips for plan participants.

The Guidance sets forth tips to help plan sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers upon whom they rely to maintain plan records and store participant data, focusing on due diligence and contract negotiation.

The Guidance recommends that plan sponsors and fiduciaries assess their service providers' cybersecurity practices by taking the follow actions:

(1) Request copies of each service provider's information security standards, practices and policies; compare them to industry standards that have been adopted by other, similar institutions; and inquire as to how the service provider validates its practices and implements its policies and standards.

(2) Confirm whether and how the service provider validates its information security practices.

(3) Investigate the service provider's track record of protecting plan data, such as whether the service provider has had any information security incidents or related litigation.

(4) Ask the service provider if it has had a data security breach, and if so, what happened and what the service provider did in response.

(5) Confirm the service provider has insurance that covers cybersecurity-related losses and data breaches.

(6) Ensure the service provider's agreement requires ongoing compliance with cybersecurity and information security standards and also includes terms that: do not limit the service provider's responsibility for data security breaches, include a right to audit the service provider's compliance with its information security policies and procedures, clearly limit the use and sharing of data (including confidential information), require notification of a data breach or cyber incident, require compliance with privacy, security and data retention laws, and require the service provider to meet minimum cyber-insurance requirements.

The Guidance advises plan sponsors and fiduciaries to ensure that the service providers they hire, including recordkeepers and other service providers responsible for plan-related IT systems and data, have a formal, well-documented information security program that includes business continuity, disaster recovery, and incident response policies and procedures.

Such an information security program should also:

(1) Include annual risk assessments and third party audits.

(2) Define and assign information security roles and responsibilities, including providing sensitive information only on a need-to-know basis (i.e., access controls).

(3) Include cybersecurity awareness training.

(4) Require security control assessments of cloud and other service providers that process or store plan data.

(5) Implement and maintain a "security systems development lifecycle program" (e.g., vulnerability scans, code review, and architecture analysis).

(6) Include business continuity, disaster recovery, and incident response plans.

(7) Require the encryption of sensitive data at rest and in transit.

(8) Require the implementation of strong technical controls for hardware, software, and firmware following best practices.

(9) Respond appropriately to any cybersecurity incidents, including mitigating the harm and addressing the vulnerability.

The Guidance recommends that plan participants take the following precautions:

(1) Routinely monitor benefits plan accounts and keep contact information current.

(2) Use complex and unique passwords and multi-factor authentication for benefits plan accounts.

(3) Close and delete unused accounts.

(4) Beware of accessing accounts through public Wi-Fi.

(5) Beware of email and telephone phishing attacks.

(6) Use anti-virus software.

(7) Report identity theft and cybersecurity incidents to the FBI and Department of Homeland Security, and if related to your benefits plan, report to your employer.

The Guidance provides much anticipated insight into the DOL's expectations of plan sponsors and fiduciaries in the context of cybersecurity, although it also leaves open many questions, including how the Guidance might be used in the future (e.g., DOL enforcement activity, private party litigation, service provider contracting, and the like).

Plan sponsors and fiduciaries should consider incorporating the DOL's due diligence recommendations into their hiring practices for service providers and should evaluate service providers' cybersecurity programs in light of the DOL's best practice criteria.

Likewise, service providers may wish to review their cybersecurity programs and standard contract terms related to cybersecurity. Finally, plan sponsors should consider sharing the DOL's online security tips with plan participants.

