On March 15, 2021, the Government Accountability Office (GAO) published a report recommending that the U.S. Department of Labor (DOL) formally state whether it is an ERISA plan fiduciary’s responsibility to mitigate cybersecurity risks in DC plans and establish minimum expectations for addressing these exposures. The DOL responded that, in its view, plan fiduciaries are responsible for taking precautions to minimize cyber attacks on their plans and indicated that it was drafting compliance assistance materials to raise awareness.

On April 14, 2021, the DOL’s Employee Benefits Security Administration (EBSA) announced its first ever guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA), and plan participants and beneficiaries by releasing three publications. Tips for Hiring a Service Provider with Strong Cybersecurity Practices[1] helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires. Cybersecurity Program Best Practices[2] assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. Online Security Tips[3] offers plan participants and beneficiaries basic rules to help reduce the risk of fraud and loss.

What You Should Know

  • Though the DOL terms the instructions “tips” and “best practices” the guidance can be viewed as attempting to establish minimum expectations likely affecting regulation and enforcement.
  • Ensuring proper mitigation of cybersecurity risks has been determined to be a fiduciary obligation. However, DOL also recognizes that participants and beneficiaries have an important role to play in maintaining cybersecurity.
  • Evaluating cybersecurity practices has been identified as part of the fiduciary’s duty to prudently select and monitor plan service providers. The hiring and monitoring tips provided by the DOL suggest significant due diligence obligations.
  • Discussions on data protection with service providers can begin at the RFP phase. It is advisable for plan sponsors to inquire about what data is needed by a service provider and for what purpose during the RFP phase of engagement. Information about cross-marketing and cybersecurity practices should also be obtained through the RFP phase and a limited scope for the use of participant data should be established.
  • This guidance complements EBSA’s previously released regulations on electronic records and disclosures which require that reasonably calculated steps are taken to protect the confidential information of participants and beneficiaries.
  • Plan fiduciaries should carefully analyze the new DOL cybersecurity guidance as part of broader measures to protect plan assets and personal information. In particular, sponsors should review the plan’s service provider contracts and revaluate hiring practices to confirm the DOL’s new guidance is followed.
  • It may be advantageous for sponsors to distribute the DOL’s online security tips to their plan participants. If this is done, a record of this distribution should be kept.
  • Significant cybersecurity risks for plan sponsors, service providers, and plan participants can surface in the sharing and storing of participant's personally identifiable information (PII). Failure to protect against a cybersecurity attack or data breach can result in:
  • Losses of both PII and plan assets, which could lead to identity theft and adverse financial consequences for plan participants.
  • Reputational and financial harm for the plan sponsor and service provider.
  • Lawsuits alleging that a plan fiduciary and/or service provider breached ERISA responsibilities.