DOL Echoes Employee Benefits and Cybersecurity Best Practices
On April 14, 2021, the U.S. Department of Labor’s (“DOL”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance was highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise.
The 2021 guidance focused on actions that plan sponsors, plan fiduciaries, record-keepers, and plan participants could take to increase security related to benefit plans. Specifically, the three-part guidance included (see DOL links below):
- Tips for hiring third party service providers with strong cybersecurity practices,
- Cybersecurity program best practices, and
- Online security tips for employee benefit plan participants.
The EBSA recently issued an update to the 2021 guidance on September 6, 2024 (the “Update”). In the Update, the EBSA confirmed that the guidance previously published applies to all types of plans – including health and welfare plans and all plans governed by The Employee Retirement Income Security Act (“ERISA”).
ERISA imposes certain fiduciary duties on plan fiduciaries with respect to recordkeeping and the selection and monitoring of service providers. As recently as February 2021, the Government Accountability Office (GAO) urged the DOL to state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks. Notably, and for the first time, the EBSA best practices guidance states that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Therefore, plan fiduciaries should, for example, conduct proper due diligence to confirm service providers’ adhere to prudent cybersecurity practices and procedures to protect the plan participants’ information, data, and accounts. Plan fiduciaries should also monitor the vendor’s adherence to these practices on an ongoing basis.
Below, we summarize the EBSA guidance.
Third Party Service Providers
Hiring a service provider can be a long and arduous task, but the obligation to mitigate cybersecurity risks means that these risks cannot be overlooked. Specifically, some of the tips provided by the EBSA include:
- Asking the vendor how it secures data;
- Inquiring about previous data breaches or security incidents that the vendor may have experienced;
- Investigating the level of insurance carried by the provider that would cover losses caused by cybersecurity or identity theft breaches – and whether those policies will cover the costs associated with required notification under each state’s laws;
- Ensuring any contract that is entered into with a service provider includes a provision that requires ongoing cybersecurity compliance and enhancement.
These factors will be familiar to businesses that have implemented a strong vendor management program that accounts for cybersecurity issues. Many of these factors will be part of a vendor search. Some of these tips will be important within the contract review stage of hiring a new vendor. At all times, the plan sponsor should take action necessary to secure and protect the data of its plan participants.
Cybersecurity Program Best Practices
The guidance provided by the EBSA includes a “best practices” document that outlines helpful tips for ensuring that record-keepers and other service providers are making prudent decisions. For example, the EBSA suggests that a formal, well-documented cybersecurity program should be adopted by plan sponsors. Cybersecurity program and policies are intended to protect the infrastructure and information within a benefit plan.
Additional steps that are recommended by the EBSA include conducting annual risk assessments, hiring a reliable third party auditing firm to review systems, clearly defining roles for individuals involved with the plans, and cybersecurity awareness training, among others.
Participant-Focused Guidance
The EBSA also provides guidance specific to plan participants who are accessing information online. The guidance provides general tips for reducing and avoiding the risk of fraud or loss for an individual’s retirement account. Some of the tips providing include using multi-factor authentication, routinely monitoring the online account, avoiding access to the account when using free Wi-Fi, and closing accounts that are no longer used.
Plan sponsors and fiduciaries should be aware of the latest guidance regarding online security tips and should be promoting the recommendations to their participants and employees.
Next Steps
We recommend that plan sponsors and fiduciaries:
- Establish strong procedures, protocols, policies, and other safeguards to protect participants’ data and their retirement accounts,
- Develop a process for prudent selection and monitoring of their plan service providers to ensure that they also maintain and follow strong cybersecurity and breach response procedures, and
- Establish and practice an incident response plan, before a cybersecurity incident occurs, and follow the plan if an incident occurs, including contacting your Foster Swift attorney.
Many plan sponsors and fiduciaries, as well as plan service providers, have already developed these policies and procedures, and drafted contracts to reflect them. These policies, procedures, and agreements should be reviewed and updated, or established if not yet in place, to reflect the EBSA guidance. Please contact us for assistance in doing so.
- Amanda Dernovshek...517.371.8259...adernovshek@fosterswift.com
- Taylor Gast...517.371.8238...tgast@fosterswift.com
- Mindi Johnson...616.726.2252...mjohnson@fosterswift.com
Categories: Alerts and Updates, Cybersecurity, Department of Labor, Employee Benefits, IT Contracts, Technology
Amanda Dernovshek is an employee benefits attorney in our Business and Tax group. Her practice focuses on issues related to employee stock ownership plans (ESOPs), non-qualified deferred compensation plans, qualified retirement plans, and general business planning. Amanda also assists the Firm’s mergers and acquisitions team.
View All Posts by Author ›Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Tax practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.
View All Posts by Author ›With a business-minded approach, and service-oriented delivery, Mindi helps clients navigate challenges and solve problems in the areas of employee benefits law and health care law. Mindi has spoken and written extensively on employee benefits, health care reform, and health care law topics, and is actively involved in a number of legal, professional and industry organizations focused on these issues.
View All Posts by Author ›Categories
- Trademarks
- Department of Labor
- Crowdfunding
- Patents
- IT Contracts
- Employment
- Cloud Computing
- Lawsuit
- Venture Capital/Funding
- Corporate Transparency Act (CTA)
- E-Commerce
- Licensing
- Tax
- Contracts
- Employee Benefits
- Defamation
- Did you Know?
- Retirement
- Billing/Payment
- Cybersecurity
- Alerts and Updates
- Digital Assets
- Insurance
- Legislative Updates
- Entity Selection, Organization & Planning
- Intellectual Property
- Regulations
- HIPAA
- Copyright
- Startup
- National Labor Relations Board
- Technology
- Personal Publicity Rights
- Chapter 11
- Electronic Health Records
- Inspirational
- Artificial Intelligence (AI)
- Liability
- Hospice
- Fraud & Abuse
- Criminal
- Domain Name Registration
- Sales/Disputes
- Social Media
- Sales Tax
- Privacy
- Mergers & Acquisitions
- Hospitals
- Distribution
- Compliance
- Entity Planning
- Trade Secrets
- Labor Relations
- Financing
- News
- Tax Disputes