The U.S. Department of Labor (DOL) recently announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity. Although much of the guidance is intended to protect retirement benefits, the rules also generally apply to health and welfare benefits subject to the Employee Retirement Income Security Act of 1974 (ERISA).
Plan sponsors, fiduciaries, and third-party service providers should seriously evaluate their current cybersecurity protocol and processes in order to prevent regulatory and civil liability in connection with cybersecurity breaches affecting employee benefit plans.
Tips for Hiring a Service Provider
ERISA requires that plan sponsors exercise prudence in the selection of service providers, which includes an evaluation of the provider’s cybersecurity practices. Plan administration often involves the delegation of administrative responsibility to third parties that often maintain plan records, participant data and other confidential information. When engaging a service provider, the DOL encourages plan sponsors to request information regarding the service provider’s security standards, practices and policies, and to audit results by comparison to the industry standards. Further, service providers should not be considered for engagement if they fail to follow a recognized standard for information security.
ERISA requires that plan fiduciaries implement a diligence process for evaluating potential service providers as a matter of prudence. Accordingly, the DOL guidance encourages fiduciaries to evaluate the service provider’s track record in the industry, including public information regarding information security incidents and legal proceedings related to vendor’s services. Prudence may also require that the service provider confirm the existence of insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third-party hijacking a plan participants information).
Additionally, the terms of the contract with the service provider should have provisions to address the following.
- Clear provisions on the use and sharing of information and confidentiality. The contract should spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification, or misuse.
- Notification of cybersecurity breaches. The contract should identify how quickly the plan sponsor would be notified of any cyber incident or data breach. The foregoing information should also be reflected in a business associate agreement. In addition, the contract should ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach.
- Compliance with records retention and destruction, privacy, and information security laws. The contract should specify the service provider’s obligations to meet all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.
- Insurance. The contract should reflect the service provider’s insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and fidelity bond/blanket crime coverage. The plan fiduciary should understand the terms and limits of any coverage before relying upon it as protection from loss.
Once engaged, the service provider’s cybersecurity should be audited and validated.
Cybersecurity Program Best Practices
Consistent with an ERISA fiduciary’s duties to act prudently and in the best interest of the plan participants and beneficiaries, the fiduciary has an obligation to protect plan assets and data from access by cybercriminals and have processes in plan to mitigate cybersecurity breaches.