Employee Retirement Income CYBERSecurity – DOL Issues New Cyber Authority Under ERISA

Cybercrime increased exponentially in 2020 and into 2021, starting with the disruption caused by COVID-19 and the migration to a work from home environment. Phishing emails were up 35 times and ransom attacks were up 150 percent in 2020. Foreign state sponsored cyberattacks such as the one affecting Solar Winds, also highlighted the increased risks from vendors and suppliers.

In step with this increasing threat environment, on April 14, 2021, the Department of Labor (DOL) issued for the first time cybersecurity guidance with respect to plans covered by the Employee Retirement Income Security Act of 1974 (ERISA). In addition to the prevalence of cybersecurity and other data-related issues across a variety of different areas, on the ERISA front, there have recently been developments regarding data protection and data use.*

The DOL guidance is multi-pronged and directed at all aspects of the retirement ecosystem. It provides guidance on cybersecurity best practices for plan sponsors, fiduciaries, record-keepers and participants and is designed to protect plan assets and reduce the risks of cybersecurity threats. The guidance was issued in three pieces, each designed for a specific audience. They are entitled “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices” and “Online Security Tips,” and are summarized below.

Tips for Hiring a Service Provider for Employers

The DOL recognized that plan sponsors often rely on third-party vendors with respect to the operation and administration of their retirement plans. Facing that reality, the DOL unequivocally states that “plan sponsors should use service providers that follow strong cybersecurity practices.” Taking steps to review the cybersecurity practices of key service providers is imperative, as often the way in for cybercriminals is through such vendors. Asking about practices, insurance levels including ransom coverage, incident response plans and requiring notice of any data breaches that affect plan data are all important steps to take in protecting plans from a vendor breach.

To assist plan sponsors in meeting their responsibilities to select and monitor service providers in a prudent fashion, the DOL provided the following list of important considerations and action items:

• Inquire and review service providers’ information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
• Ask the service provider how it validates its security practices, and what levels of security standards it has met and implemented.
• Evaluate service providers’ track records in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  Inquire whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
• Determine if the service provider maintains insurance that covers losses caused by cybersecurity and identity theft breaches.
• Require that the service provider is contractually committed to ongoing compliance with cybersecurity and information security standards.

Best Practices for Plan Fiduciaries

According to the DOL, ERISA-covered retirement plans are tempting targets for cyber-criminals, because of the millions of dollars that they hold and the personal participant data that they maintain. Consequently, “plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risk.”

To assist recordkeepers, other service providers and plan fiduciaries in satisfying their responsibilities, the DOL has prepared the following list of best practices that all plan service providers should comply with:

• Have a formal, well documented cybersecurity program.
• Conduct prudent annual risk assessments.
• Have a reliable annual third-party audit of security controls.
• Conduct periodic cybersecurity awareness training.
• Implement and manage a secure system development life cycle program, to ensure that security assurance activities such as penetration testing, code review and architecture analysis are an integral part of the system development effort.
• Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
• Encrypt sensitive data, stored and in transit.
• Implement strong technical controls in accordance with best security practices.
• Appropriately respond to any past cybersecurity incidents.
• Clearly define and assign information security roles and responsibilities.
• Have strong access control procedures.
• Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

Online Security Tips for Plan Participants

The third piece of DOL guidance is intended to inform plan participants how better to safeguard their retirement accounts in order to reduce the risk of fraud and loss. Cybercriminals increasingly are using personal information gained through social media and other public sources to attempt to access plan assets. The DOL encouraged participants to regularly monitor online accounts and cautioned that failing to do so could provide an opportunity for cybercriminals to assume a participant’s identity by opening an account in the participant’s name. When opening an account, participants should use strong and unique passwords and agree to multi-factor authentication to verify their identity. Participants are also advised to keep their personal contact information up to date, delete unused accounts, use antivirus software, and keep apps and software current. Finally, the DOL warned participants to beware of the common warning signs and security risks of free wi-fi and “phishing” attacks.

The DOL stated that its guidance is “an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information” and that the guidance is intended to complement the DOL regulations on electronic records and disclosures to plan participants and beneficiaries. In addition, this guidance provides a framework for plan sponsors and fiduciaries more fully to understand their responsibilities in establishing strong cybersecurity policies and safeguards to guard against the ever increasing threat of cybercrime while also protecting participants’ plan assets.

*      *      *

The DOL guidance clearly reflects the DOL’s view that ERISA plan fiduciaries have an obligation to take reasonable steps to protect plan assets from cyber threats. Indeed, if there is litigation over losses resulting from a cyber security breach, it is possible that the DOL’s views could be a factor in how claims are decided. Consequently, plan sponsors, fiduciaries and record-keepers may well want to act now to review their various service provider relationships and cybersecurity practices in light of the DOL authority.

If you would like to discuss the new DOL cybersecurity guidance under ERISA or any other aspect of plan administration, please contact any of the Dechert lawyers listed below or any Dechert lawyer with whom you regularly work.

Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled hundreds of data breach investigations and handled cyber attacks brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We represent clients holistically through the entire life cycle of issues, including strategic counseling on clients’ data-driven products and services and key laws such as the CCPA, CPRA, VCDPA, Section 5 of the FTC Act, the GDPR and cross-border data transfers, UK Data Protection Act and the e-Privacy Directive as well as transactional diligence and deal support on private equity, corporate transactions and securities offerings.

Footnotes

* See Harmon v. Shell Oil Co., No. 3:20-cv-00021 (S.D. Tex. Mar. 30, 2021) which concluded that plan recordkeeping information is not a “plan asset” under ERISA.

The authors gratefully acknowledge the assistance of Kim Lee, a paralegal at Dechert LLP, in the preparation of this OnPoint.