The U.S. Department of Labor on April 14 issued cybersecurity guidance aimed at protecting retirement accounts. The first-of-its-kind guidance is directed at plan sponsors and fiduciaries subject to the Employee Retirement Income Security Act as well as plan participants.
The guidance came in three separate documents. The first, a list of tips for hiring service providers, is aimed at plan sponsors and fiduciaries. It advises employers to ask about information security standards, practices, policies and audit results. They should also find out whether a potential service provider has experienced past security breaches, evaluate its track record and check whether the provider has any insurance policies that would cover losses from cybersecurity and identity theft breaches.
The first document also recommends contract provisions and terms that help enhance cybersecurity protection. These include requirements for annual third-party security audits, insurance coverage, provisions on the use and sharing of information and how a service provider should respond in the event of a cybersecurity breach.
The second document on cybersecurity program best practices is directed toward recordkeepers but also contains tips for fiduciaries on hiring service providers. Fiduciaries should look to hire service providers that have a formal cybersecurity program, conduct annual risk assessments, clearly define and assign information security roles and responsibilities, encrypt sensitive data and conduct periodic cybersecurity awareness training.
The final document contains online security tips for plan participants and beneficiaries. It offers familiar advice on how to avoid phishing attacks, create strong passwords and use multi-factor authentication to keep accounts safe.
“I think the bottom line for employers is this is a great checklist and something that you can easily use to go in and make sure that you’ve vetted your service provider,” said Holland & Hart partner Kevin Selzer.
Fisher Phillips partner Ed Hopkins said that every organization with an ERISA-governed plan should schedule a meeting that includes the chief information security officer or cybersecurity management experts to discuss whether existing cybersecurity protocols already comply with the DOL’s guidance.
“Some of them may find that they’re already checking the box, but they won’t know until they actually meet with their information experts and assess their programs against this new guidance,” Hopkins said.
Hopkins added that while the guidance focuses on cybersecurity protocols, it is important not to ignore the privacy component, and he recommended an organization’s chief privacy officer or privacy counsel also attend.
“There needs to be someone in the room at these types of meetings, in my opinion, that understands privacy laws and how to comply with them,” Hopkins said. “Because at the end of the day, this guidance is really focusing on not only protecting the information from hackers but also managing it in such a way where no more private information is accessible to hackers than is necessary to run the operation.”
Hopkins said the guidance shouldn’t be viewed as a “significant new legal duty” because organizations were already required to safeguard retirement plan information. “The Department of Labor is just saying, ‘This is what you should have been doing, and here’s what you should do if you’re not doing it,’” he said.
Most large employers are already in compliance, Hopkins said, but he added that smaller operations may be less likely to have robust cybersecurity or privacy information management teams.
“It’s very likely that the smaller plans don’t have much of the protection that’s talked about and haven’t done many of these best practices to protect themselves,” Selzer said.
In a press release announcing the guidance, the DOL noted that as of 2018, there were 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants with assets totaling more than $9 trillion.
Hackers have increasingly targeted 401(k) and other retirement accounts in recent years, according to media reports. Employees have sued their employers and recordkeepers for ERISA violations, but many of the cases have settled or are still working their way through the courts.
Last year, a former Estée Lauder employee who had nearly $100,000 stolen from her 401(k) settled with the company and the plan’s recordkeeper, Alight Solutions. In another high-profile case, a former Abbott Laboratories employee sued the fiduciaries of Abbott as well as Alight, the recordkeeper, in an Illinois federal court for breach of their fiduciary duties after a hacker allegedly stole nearly $250,000 from her 401(k) plan. In October, the claims against the Abbott fiduciaries were dismissed while the claims against Alight were allowed to move forward.
Selzer said litigation over retirement plan cybersecurity is “very much an emerging and evolving area of law.” “What’s somewhat significant, although the DOL worded it somewhat carefully, is that they strongly infer that it is a fiduciary duty to protect the plan from cybersecurity threats,” he said.
According to Selzer, most retirement account-related litigation in recent decades has focused on excessive fees, such as lawsuits over plans whose investment options are too expensive or that require excessive fees to service providers. Those lawsuits have tended to target larger plans because they typically involve a class and larger damages, he said, while smaller plans have not been worth the court battle.
“But cybersecurity litigation very much has the potential for a single participant to have significant damages,” Selzer said. “So, while small plans may not historically have had much of a litigation risk … this is an area where they could get pulled in.”
Selzer said the new guidance is a roadmap for what employers need to be doing to comply with cybersecurity obligations, and he encouraged them to go through each item on the DOL’s checklists and document what they have done to comply.
“I think it’s a good thing overall for employers because it’s bringing more attention to what their responsibilities are and what they should be doing,” Selzer said.
“But it’s not going to be a good thing for an employer that ignores it. You can bet that plaintiff’s attorneys will be waving this in court if you haven’t checked off some or all of the recommended steps.”