The three pieces of guidance are: 

• Tips for Hiring a Service Provider with Strong Cybersecurity Practices to help plan sponsors and fiduciaries understand and implement their duties to prudently select and monitor service providers to their plans.
• Cybersecurity Program Best Practices, with best practices for service providers, including 401(k) recordkeepers.
• Online Security Tips for plan participants.

In the introductory paragraph to Cybersecurity Program Best Practices, the DOL minces no words about plan sponsor responsibility:

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

This article discusses some of the most important practices suggested by the DOL for mitigating those cybersecurity risks. However, the article is only a summary of some of the practices; it’s not a substitute for reading the DOL materials. As a suggestion, the materials could be reviewed and discussed at a plan committee meeting. That’s the first step in demonstrating that the committee members engaged in a prudent process for protecting participant information and benefits from cybersecurity breaches.

 

Fiduciary Duty and Best Practices for Plan Sponsors

The first of the DOL documents, Tips for Hiring a Service Provider with Strong Cybersecurity Practices (“Plan Sponsor Tips”), lists a series of questions for plan sponsors to ask of their service providers, and particularly of their recordkeepers. Plan sponsors should consider sending a copy of this article to their recordkeeper with a request for answers to those questions. As a practical matter, most recordkeepers should have reviewed the DOL materials by now and have prepared answers to the questions. 

Here are some of the questions in the DOL materials:

Ask about the service provider’s information-security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. 

Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity. You can have much more confidence in the service provider if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.

 

Plan sponsors should consider getting a representation from the recordkeeper that its practices are consistent with industry standards.

 

Comment: While it may be difficult to compare the recordkeeper’s practices to “industry standards adopted by other financial institutions,” plan sponsors should consider getting a representation from the recordkeeper that its practices are consistent with industry standards. In addition, a plan sponsor’s IT personnel (or consultants) may be able to compare the recordkeeper’s practices to the general expectations about the protection of confidential information. Finally, if there is an audit report and it (or a summary) is available, it should be reviewed for “red flags” such as findings of problems in the systems and practices.

Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.

Comment: If there have been security breaches, the recordkeeper should have promptly responded to the problem and taken steps to fix the problem. Make sure to get that answer. Also, a positive sign would be if the service provider responded quickly and communicated openly and truthfully with its customers, and restored any losses resulting from the breaches.

Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity-theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).

Comment: Obviously the best answer is if the service provider answers affirmatively to all parts of this question. But, if there is any equivocation or limitations, a plan sponsor should inquire further to make sure that it understands the answer and the limitations, and considers whether the response is acceptable. If not, a plan sponsor should consider changing providers.

The Tips go on to describe the terms of the agreement with the service provider (e.g., the recordkeeper) and to suggest provisions that would be protective of the plan and its covered employees.

 

Best Practices for Service Provider Cybersecurity Programs

The next document, Cybersecurity Program Best Practices, describes “best practices” for service providers to retirement plans. However, while “best practices” generally means something the law doesn’t necessarily require, there’s a good chance that much of the discussion in this document will be the basis for DOL investigations in the future. And, while these best practices are directed to the service providers, plan sponsors should also pay attention to them in their selection and monitoring of service providers. In that regard, plan sponsors may also want to send this DOL document to their recordkeepers and ask if the recordkeepers are taking all of the steps outlined by the DOL and, if not, which steps are not being implemented and why. The responses should provide valuable information for plan sponsors to consider in evaluating the cybersecurity practices and how that might affect their plans and participants.

For example, one of the 12 points in these Best Practices is:

 

Responsiveness to Cybersecurity Incidents or Breaches 

When a cybersecurity breach or incident occurs, appropriate action should be taken to protect the plan and its participants, including:

• Informing law enforcement.
• Notifying the appropriate insurer. 
• Investigating the incident. 
• Giving affected plans and participants the information necessary to prevent/reduce injury. 
• Honoring any contractual or legal obligations with respect to the breach, including complying with agreed-upon notification requirements. 
• Fixing the problems that caused the breach to prevent its recurrence.

Comment: Earlier in this article, in the discussion of questions a plan sponsor should ask, one of the questions was about responses to cybersecurity breaches. If the answer to that question is consistent with these steps suggested by the DOL, that would be reassuring to a plan sponsor. 

 

Online Security Tips for Participants

The third piece of guidance by the DOL is directed to participants and suggests basic steps that participants can take to protect their information and benefits. Plan sponsors should consider working with their service providers to circulate this document (or something similar) to their participants once a year. While that isn’t required by the law, it’s usually better to avoid a problem than to argue about who is responsible.

For example, three of the Tips for participants are:

1. Use Strong and Unique Passwords 

• Don’t use dictionary words. 
• Use letters (both upper and lower case), numbers, and special characters. 
• Don’t use letters and numbers in sequence (no “abc”, “567”, etc.). 
• Use 14 or more characters.
• Don’t write passwords down. 
• Consider using a secure password manager to help create and track passwords. 
• Change passwords every 120 days, or if there’s a security breach. 
• Don’t share, reuse, or repeat passwords.
  

• Free Wi-Fi networks, such as the public Wi-Fi available at airports, hotels, or coffee shops pose security risks that may give criminals access to your personal information.
• A better option is to use your cellphone or home network.

3. Beware of Phishing Attacks

• Phishing attacks aim to trick you into sharing your passwords, account numbers, and sensitive information, and gain access to your accounts. A phishing message may look like it comes from a trusted organization, to lure you to click on a dangerous link or pass along confidential information.

These are commonly known methods for avoiding cyber problems, but many of the cybersecurity cases involve the use of participant information that was obtained by cyber thieves. In some cases, it appears that the participant information was obtained from the participant or the participant’s computer. As a result, it would be good risk management for plan sponsors to periodically remind their participants of these risks and the basic steps that can be taken to avoid the loss of their information or their benefits.

 

Concluding Thoughts

A few years ago, 401(k) cybersecurity was not even on the agendas for 401(k) committee meetings. Now it’s one of the top issues for plan operations and DOL investigations, as well as being a subject of litigation. Plan sponsors should respond to this change by elevating the importance of cybersecurity in the performance of their fiduciary jobs. 

The DOL’s guidance offers a foundation for doing that. Plan sponsors, and their committee members, should review the three pieces of DOL guidance so that they understand the “best practices” for doing their job—realizing that a best practice may be a “soft” label for a legal requirement. The next steps, after reviewing the materials, are to (1) get answers from the recordkeepers to the issues raised in the Plan Sponsor Tips (“Tips for Hiring a Service Provider”) and the Service Provider Best Practices (“Cybersecurity Program Best Practices”), and (2) coordinate with the recordkeeper to distribute the Online Security Tips to the plan participants.

Forewarned is forearmed. Cyber issues should now be a regular agenda item for meetings of plan committees.