In releasing its first formal cyber security guidance last month, the Department of Labor (DOL) has clarified what plan sponsors already knew: cybersecurity is a fiduciary responsibility for all employee benefit plan fiduciaries. The DOL guidance provides best practices for plan sponsors, including in handling plan service providers. The DOL checklists may foreshadow what DOL will focus on in its increased cybersecurity enforcement, as well as a roadmap for plaintiffs in private lawsuits seeking damages for security breaches and fraudulent withdrawals.
Cybersecurity Best Practices
As more employee benefit plans rely on technology and the internet to expedite transactions that used to occur only in paper or hard copy, the cyber risk for plans has grown exponentially. Plan fiduciaries have always known that ERSIA’s duty of prudence requires attention to a plan’s exposure to cybersecurity risks, but it has been less clear what exactly the DOL will require. In its first formal cybersecurity guidance, the DOL stated clearly that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Cybersecurity is a core plan fiduciary responsibility.
The DOL guidance focuses on three areas vital to enhance security for plan sponsors.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with solid cybersecurity practices and monitor their activities, as ERISA requires.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online with basic rules to reduce the risk of fraud and loss.
Whether servicing retirement plans is an in-house function or outsourced, it is incumbent on plan administrators and investment managers to ensure they implement the best possible cybersecurity practices. Following the practical advice listed in the tips below is the best way for plan administrators to meet the DOL guidelines and beef up their cybersecurity procedures.
For employee benefit plans, the DOL provides the following best practices:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent, annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have robust access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct annual cybersecurity awareness training.
- Implement and manage a secure system development life cycle (“SDLC”) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Cybersecurity is about fiduciary process
It is important to remember that ERISA is designed to a be a law of process and not results. The DOL best practices demonstrate the fiduciary process that plans should follow. Now is a good time to review the best practices against the plan’s cybersecurity strategy. It is also an opportunity to revisit service provider agreements to review whether all plan providers have sufficient cybersecurity protocols to protect plan assets. A good cybersecurity process should reduce damages exposure in the event of a cyber security incident, which are becoming more common.
The Euclid Perspective
Cybersecurity is now a key enforcement initiative for the DOL, and we see cybersecurity protocols included in all standard DOL audit requests. The guidance provides a roadmap the DOL will use in plan audits and what minimum standards are now required for all plans.
The DOL guidance offers sound cybersecurity strategies. Many plans already use such security measures as:
- Multifactor authentication.
- Ensuring critical plan data is stored in multiple formats in the event of a breach or ransomware demand.
- Encryption of sensitive data; and
- training for plan employees.
But even the best practices need a backup plan: Not mentioned in the DOL guidance is that a vital component of any cybersecurity strategy is to secure insurance protection for your plan. Every plan needs quality fiduciary liability, cyber liability, and crime insurance to protect your plan fully. Fiduciary insurance will cover your plans against claims of breach of fiduciary duty; and fidelity bond will protect against certain employee theft.
Filling in the Gaps
Even with qualified fiduciary liability coverage, however, there is still a gap without a standalone cyber policy. A cyber policy will provide coverage for breach response expenses that are not included in your standard fiduciary policy. These coverages include breach notification, crisis management, forensics and legal expense in the event of a cyber incident. A good cyber policy will also include coverage for cyber extortion and ransomware claims. A plan also needs coverage for business interruption losses, and coverage for claims from third parties, including regulatory liability. Finally, a plan needs coverage for cybercrime, including computer fraud, funds transfer fraud, and social engineering claims. Plans need comprehensive fiduciary, crime, and cyber coverage as part of any cybersecurity plan.