Since the mid-2000s, self-insured health plans have been subject to HIPAA security rules. These rules generally require a plan sponsor to protect data about those enrolled in its self-insured health plans, and when hiring a third-party administrator or other vendor who works with enrollee data, include provisions in the contracts governing the security of health plan enrollee data. But outside of the HIPAA context, it’s been unclear whether there’s a similar duty under ERISA.
The Department of Labor (DOL) recently issued guidance aimed to provide best cybersecurity practices for plan sponsors, plan fiduciaries, record keepers and plan participants with respect to retirement plans. The guidance comes in three parts: (1) tips for hiring a service provider; (2) cybersecurity program best practices; and (3) online security tips. Because retirement plans hold a significant amount of money and maintain personal participant information, retirement plans are often a desirable target for cybercriminals. Due to the wealth of money and information that retirement plans hold, the DOL states that plan fiduciaries have an obligation to ensure that proper cybersecurity precautions are in place.
Tips for Hiring a Service Provider
The DOL lists the following items for plan sponsors and fiduciaries to evaluate when selecting plan service providers and monitoring the performance of the selected provider:
- Ask about the service provider’s information security standards, practices and policies, and audit results, and compare that information to industry standards and the standards adopted by other service providers.
- Ask the service provider how it validates its cybersecurity practices and what levels of security standards are in place. Ensure that there are contractual provisions that give the plan fiduciary the right to review audit results.
- Evaluate the service provider’s track record in the industry, including public information regarding security incidents, other litigation and legal proceedings related to the vendor’s services.
- Ask whether the service provider has experienced any past security breaches, what happened and how the service provider responded.
- Ask whether the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors and breaches caused by external threats, such as a third party hijacking a plan participant’s account).
- After picking a service provider, and when negotiating the contract, ensure that the contract requires ongoing compliance with cybersecurity and information security standards, and beware of contract provisions that limit the service provider’s responsibility for security breaches. The DOL suggests the following additional contract provisions that would enhance compliance: (1) information security reporting; (2) clear provisions on the use and sharing of information; (3) notification of cybersecurity breaches; (4) compliance with records retention and destruction regulations; and (5) requiring insurance coverage.
This guidance requires active vendor management on security issues, and a plan sponsor should involve its information security department in that process. The plan sponsor should also develop (with input from its information security department) contractual language for protection of plan participant data.
Cybersecurity Program Best Practices
With retirement plans being such a desirable cybersecurity target, the DOL provides the following list of best practices for responsible plan fiduciaries to follow to ensure the proper mitigation of cybersecurity risks:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable, annual, third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure systems development life cycle program.
- Have an effective business resiliency program that addresses business continuity, disaster recovery and incident response.
- Encrypt sensitive data, both when stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
A plan sponsor may already have many of these practices in place, but may not have applied them to retirement plans. Thus, a plan sponsor should review its current cybersecurity policies and procedures to see if they need to be revised to address these issues with respect to retirement plans.
Online Security Tips
As part of the guidance, the DOL also provided tips for plan participants in order to reduce the risk of fraud and loss to a retirement account by:
- Registering, setting up and routinely monitoring the participant’s online account.
- Using strong and unique passwords.
- Using multifactor authentication.
- Keeping personal contact information current.
- Closing or deleting unused accounts.
- Being wary of free Wi-Fi.
- Being wary of phishing attacks.
- Using antivirus software and keeping applications and software current.
- Knowing how to report and identify theft and cybersecurity incidents.
Retirement plan funds are increasingly a target of cybercriminals, so plan sponsors should communicate these tips to plan participants to reduce the incidence of fraud.
Warner Can Help!
At Warner, we’ve been working with clients for years to address privacy and security issues, both with internal policies and procedures and in contracting with vendors. If you need assistance in implementing this guidance, please contact Norbert Kugele, Brianna Richardson or a member of Warner’s Employee Benefits/Executive Compensation Practice Group.