Cybersecurity: Another Responsibility for Retirement Plan Sponsors & Fiduciaries

Enterprise Iron Financial Industry Solutions, Inc.

Cybersecurity is the art of protecting networks, devices, and data from unauthorized access and unlawful use. An integral component of a cybersecurity program involves ensuring the accuracy, integrity, and availability of information. The ability of the U.S. Government, Fortune 500 firms, and public and private companies to craft and execute effective cybersecurity policies, processes, and procedures is a daily challenge that costs hundreds of millions of dollars annually.

Yet, headlines are full of stories detailing massive data breaches involving the passwords, ids, and SSNs of millions of people. There are often far more severe situations like the recent ransomware attacks on Colonial Pipeline and JBS, the second-largest meatpacker in the world.

The interconnectedness of the technology we rely upon also enables a small number of bad actors to wreak substantial damages on firms and governmental entities. In the process, millions of people have their identity, health records, and critical financial information like retirement, credit card, and bank accounts comprised, or in the worst-case scenario – stolen.

In April 2021, The U.S. Department of Labor issued new guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on best practices to establish, enhance and maintain cybersecurity for the $9.3 Trillion held in DB and DC plans.¹ The objective is to protect the retirement benefits of the 140 million American workers covered by these plans.

The timing of this guidance was interesting. It came shortly after a Government Accountability Office (GAO) report was issued in February 2021.² That report highlighted the risks of sharing Personally Identifiable Information (PII) such as SSNs, DOB, retirement account, and bank account data through the mammoth IT infrastructure within the retirement plan ecosystem. Risk can emanate from different sources and take various forms.

The GAO report had two recommendations:

  1. The DOL should formally state if cybersecurity for ERISA is a plan fiduciary responsibility
  2. The DOL should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks to plans and service providers that administer plans

The DOL took the GAO recommendations seriously and provided guidance. They also made it clear that cybersecurity is a plan sponsor responsibility by indicating that ERISA’s duty of prudence encompasses “an obligation to ensure mitigation of cybersecurity risks.”³

The DOL guidance, created by the Employee Benefits Security Administration (EBSA), addressed the key constituencies within the retirement ecosystem:

  • Plan Sponsors and Plan Fiduciaries
  • Recordkeepers
  • Participants

The guidance helps plan sponsors, fiduciaries, and plan participants “safeguard retirement benefits and personal information.”⁴ The DOL was explicit that their view is the guidance “emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime.”⁵

The guidance features Tips for Hiring a Service Provider, designed to help plan sponsors and fiduciaries select providers with robust cybersecurity capabilities.

A Cybersecurity Best Practices document aims to help fiduciaries understand and manage their cybersecurity responsibilities. Also included is an Online Security Tips factsheet for participants.

  • The Tips for Hiring a Service Provider is a valuable document that recommends asking questions about a firms’ policies and track record. You should also ask about previous breaches, if any, insurance coverage, and the procedures for using, storing, and sharing participant data.
  • The Cybersecurity Best Practices information is targeted at recordkeepers and other service providers and is a compendium of what a provider should have. It covers everything from access controls to disaster recovery and independent threat assessments.
  • The Online Security Tips recommends a series of practical steps a participant can take to protect their information.

It is noteworthy that the Tips for Hiring a Service Provider and the Cybersecurity Best Practices guide do not address if these rules impact current service providers. It is our opinion that the DOL believes they do, and therefore, plan sponsors should review these guidelines with their current plan provider.

Should you or your plan committee need assistance understanding cybersecurity or how the regulations impact your retirement plan, Enterprise Iron is here to help. We’ve worked with public and private plans of all sizes, plan types, and the service providers who support them. We provide an independent, objective assessment of your plan and service providers’ compliance with the new guidelines to identify any areas of improvement. Enterprise Iron will work with you to implement any needed changes.

Turning Up the Heat

While the guidance lacks the weight of regulation, immediately after it was released, there were reports that the DOL launched a series of inquiries about retirement plans’ cybersecurity practices. There are also reports that the DOL audit process now includes questions about the cybersecurity practices, policies, and procedures that a plan sponsor or their service providers apply to the plan.

It is hard to imagine what comes next. Still, the focus on cybersecurity implies that the DOL will start to hold plans and their fiduciaries accountable for cybersecurity. Besides the specter of a DOL enforcement action, this guidance should remind plan sponsors that if a cybersecurity breach ever impacts their plan, they need to be prepared. Class action lawsuits that argue that they chose the wrong service provider or that PII was misused or not protected are possible. Service Providers like recordkeepers, TPAs, and advisors will likely be inundated with requests to divulge the precise details of their cybersecurity and information security practices.

What’s Next

Without question, this guidance is a watershed event. While there are still quite a few open questions, e.g., Must a plan sponsor distribute the Online Security Tips to every employee? If so, when? Regardless, the headline is that the DOL has invoked the ERISA duty of prudence to advise plan sponsors and fiduciaries responsible for combating cybercrime. Understanding the nuances of cybersecurity may not be new for some plan sponsors and fiduciaries, but it is likely to be intimidating for many.

Next Steps

We encourage plan sponsors, fiduciaries, and service providers to:

  • Read the new DOL guidance
  • Conduct a detailed review of your organization’s adherence to these precepts
  • Review your service providers adherence to these guidelines

Regardless of your role, Enterprise Iron is here to help. We have a rich history of helping plan sponsors, and service providers comply and adapt to new guidance. Working with our veteran Plan Sponsor Services team, you can be confident that your plan and its service providers – from advisors to payroll providers and recordkeepers – understand and carry out their fiduciary duties.

Contact us if you have any questions about the new Cybersecurity guidance, a fiduciary’s prudence duty, or any questions regarding your retirement plan!