Cloud Hosting

On April 14, 2021, the Department of Labor (DOL) issued its first set of guidance documents related to the cybersecurity of retirement benefit plans covered by the Employee Retirement Income Security Act (ERISA). The three-part guidance is aimed at various stakeholdersplan fiduciaries, service providers, plan participants and beneficiariesand provides cybersecurity expectations for plan fiduciaries and best practices for their service providers.

Cybersecurity has become an area of critical importance to plan sponsors and administrators of employee benefit plans, as well as their service providers, as they increasingly rely on the Internet and IT systems to administer those plans. In a February 2021 Government Accountability Office (GAO) Report, the GAO, an independent and non-partisan U.S. legislative agency that monitors and audits government spending and operations, highlighted the significant cybersecurity risks to benefit plans and called on the DOL to clarify responsibilities for fiduciaries and provide guidance related to minimum cybersecurity expectations. Although DOLs recent guidance is sub-regulatory guidance, which does not have the authority of federal agency regulations under the Administrative Procedure Act (APA), the guidance presents DOLs first official action focused on mitigating the significant cybersecurity risks to participant data and plan assets.

DOLs three pieces of cybersecurity guidance target different audiences and emphasize the importance of each stakeholders role in preventing fraud and loss. The following is a brief summary of each guidance document.

DOLs guidance makes clear the protection of participant data and plan assets from cybercriminals is a critical consideration for all benefit plan stakeholders. ERISA establishes minimum standards and requirements intended to protect plan participants and beneficiaries in private sector benefit plans and requires plan fiduciaries to act prudently when administering plans. But ERISA regulations are silent on how plan constituents should comply with these requirements. Prior to issuing its guidance, DOL had not clarified its view as to whether plan administrators were responsible for mitigating cybersecurity risks. The recent literature makes clear that in DOLs view, retirement plan fiduciaries are obligated to ensure the proper mitigation of cybersecurity risks, and the guidance provides helpful data points for plan record-keepers and service providers to protect plan data.

In light of DOLs guidance, plan sponsors and administrators that handle data management in-house that have yet to develop a formal cybersecurity program should do so now, and those with cybersecurity programs currently in effect should re-evaluate those programs to ensure they align with DOLs suggested best practices. Plan sponsors and administrators should also revisit their contractual engagements with service providers to ensure they have adopted a well-documented cybersecurity program that offers adequate protections in the event of a breach. Although the guidance is framed as tips and best practices and currently has no enforcement mechanism, it signals the DOLs heightened focus on cybersecurity in light of more frequent attacks and increasingly sophisticated breach techniques. The guidance specifically addresses retirement plans, but fiduciaries of health and welfare plans are subject to the same fiduciary responsibilities under ERISA. Stakeholders should evaluate their cybersecurity practices and policies and implement the DOLs best practices where possible to ensure their benefit plans do not fall victim to data compromise.

See original here:
Department of Labors Cybersecurity Guidance for Benefit Plans Signals Increased Scrutiny - JD Supra