Employee benefit plans subject to the Employee Retirement Income Security Act (“ERISA”), including retirement and health and welfare plans, are attractive targets for hackers, particularly given their potential access to plan assets and participant information. The U.S. Department of Labor (“DOL”) realizes employee benefit plans are vulnerable to cyberattacks and on April 14, 2021, it issued a three-part cybersecurity guidance package containing:
- A cybersecurity best practices summary Cybersecurity Program Best Practices (dol.gov)
- Tips for hiring service providers Tips For Hiring a Service Provider With Strong Cybersecurity Practices (dol.gov)
- A model notice offering participants and beneficiaries online security tips. Online Security Tips (dol.gov)
The DOL’s recent guidance emphasizes that sufficient measures are needed to protect participants and plan assets from cybersecurity threats. The DOL specifically states that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. Since plan sponsors and plan fiduciaries also have fiduciary obligations to prudently select and monitor service providers, the cybersecurity practices of their service providers should be a significant consideration in carrying out their fiduciary obligations.
While some of the DOL guidance is aimed at retirement plans subject to the Employee Retirement Income Security Act (“ERISA”), and does not specifically address ERISA group health and welfare plans, there appears to be no reason why the reasoning of the approach and the best practices and tips identified would not apply to such plans — and many health and welfare trusts are already proceeding with this approach. That makes sense since fiduciary obligations apply to plan sponsors and fiduciaries of ERISA retirement plans and health and welfare plans.
Plan sponsors and fiduciaries often rely on service providers to maintain plan records and keep plan information and participant data confidential. According to the DOL, plan sponsors and fiduciaries should select service providers that follow strong cybersecurity practices.
Note that the DOL has issued information and document requests in connection with their audit initiatives that focus on retirement plan cybersecurity practices. This will likely extend to health and welfare plans. Accordingly, ERISA plan sponsors and fiduciaries should review and evaluate how their existing programs measure up to the DOL’s recommendations and develop their cybersecurity programs accordingly.
A summary of the DOL’s guidance to help plan sponsors and fiduciaries meet their obligations to prudently select and monitor service providers follows below.
I. TIPS FOR HIRING A SERVICE PROVIDER WITH STRONG CYBERSECURITY PRACTICES
DOL’s cybersecurity guidance advises plan sponsors to include certain inquiries regarding selecting, evaluating and monitoring processes of plan service providers. These inquiries are summarized below.
A. DOL’s Tips for Sound Due Diligence Regarding A Service Provider’s Cybersecurity Practices
- Ask about the service provider’s documented cybersecurity program, including the service provider’s information security standards, policies and procedures, and audit results and compare them to industry standards used by other service providers.
- Confirm whether and how the service provider validates its information security practices and standards.
- Assess the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor’s services to address the security incidents.
- Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
- Confirm that the service provider has insurance to cover losses caused by data breaches and cybersecurity-related losses.
II. TIPS FOR CONTRACTING WITH PLAN SERVICE PROVIDERS
A. DOL’s Tips
Make sure that your contract with a service provider:
- Commits the service provider to support a DOL audit;
- Requires ongoing compliance with cybersecurity and information security standards;
- Limits the use and sharing of data (particularly confidential information);
- Requires notice of data breaches or cyber incidents;
- Includes provisions that do not limit the service provider’s responsibility for IT security breaches.
- Requires compliance with privacy, security and data retention laws;
- Requires the service provider to maintain cyber-insurance;
- Provides a right to audit the service provider’s compliance with its information security policies and procedures; and
In light of the DOL’s guidance and audit initiative, plan sponsors and fiduciaries are encouraged to review their cybersecurity practices, as well as their service providers’ cybersecurity programs, to mitigate cybersecurity risks to their ERISA plans.
The attorneys at Day Rettig Martin, P.C. provide a full complement of data breach coaching services to benefit plan sponsors, healthcare providers, and businesses, including data breach notification to individuals and various government entities. In addition, we counsel clients on the creation of information privacy and security plans, gap assessments, breach prevention and the development and implementation of policies and procedures.
If you have any questions about designing and/or administering employee benefit/executive compensation plans, issues arising under information privacy laws such incident responses to data breaches under state and federal laws, or labor/employment practices, please give us a call at (319) 365-0437.