The Guidance, which comes in the form of “tips” and “best practices,” is primarily directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974, as amended (ERISA), as well as service providers and plan participants. The Guidance does not have regulatory authority, but does provide insight into the DOL’s expectations with respect to cybersecurity. As such, it is likely to inform enforcement activity, litigation, and service provider contracting in the future.
While the Guidance is consistent with cybersecurity measures in existing federal and state laws, and other cybersecurity guidance, standards and best practices, it focuses on cybersecurity obligations in the context of ERISA’s fiduciary obligations. The Guidance recognizes that plan sponsors and other fiduciaries have an obligation to mitigate cybersecurity risks, including by prudently selecting and monitoring service providers with strong cybersecurity practices. There are three parts to the Guidance: (1) Tips for hiring a service provider, (2) Cybersecurity program best practices, and (3) Online security tips. The first part of the Guidance sets forth tips for hiring a service provider with strong cybersecurity practices. The second part of the Guidance discusses cybersecurity best practices for recordkeepers and other service providers. The third and final part of the Guidance provides tips for plan participants.
Tips for hiring a service provider
The Guidance sets forth tips to help plan sponsors and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers upon whom they rely to maintain plan records and store participant data, focusing on due diligence and contract negotiation. The Guidance recommends that plan sponsors and fiduciaries assess their service providers’ cybersecurity practices by taking the follow actions:
- Request copies of each service provider’s information security standards, practices and policies; compare them to industry standards that have been adopted by other, similar institutions; and inquire as to how the service provider validates its practices and implements its policies and standards.
- Confirm whether and how the service provider validates its information security practices.
- Investigate the service provider’s track record of protecting plan data, such as whether the service provider has had any information security incidents or related litigation.
- Ask the service provider if it has had a data security breach, and if so, what happened and what the service provider did in response.
- Confirm the service provider has insurance that covers cybersecurity-related losses and data breaches.
- Ensure the service provider’s agreement requires ongoing compliance with cybersecurity and information security standards and also includes terms that: do not limit the service provider’s responsibility for data security breaches, include a right to audit the service provider’s compliance with its information security policies and procedures, clearly limit the use and sharing of data (including confidential information), require notification of a data breach or cyber incident, require compliance with privacy, security and data retention laws, and require the service provider to meet minimum cyber-insurance requirements.