ERISA cybersecurity lessons for entrepreneurs
May 19, 2021
Ogletree, Deakins, Nash, Smoak and Stewart
To print this article, simply register or log in to Mondaq.com.
Retirement plans are increasingly subject to cybersecurity issues and the U.S. Department of Labor (DOL) is realizing this. On April 14, 2021, the DOL published cybersecurity guidelines “for plan sponsors, plan trustees, record keepers, and plan participants on best practices for maintaining cybersecurity, including tips” for hiring service providers and online safety tips for participants. In recent years, DOL guidelines that facilitated rules related to electronic communications to plan participants could have helped participants become more susceptible to fishing attempts that masquerade as official plan communications. In addition, a 2019 Internal Ingredient Service difficulty withdrawal rule allowed participants to submit self-certifications electronically to meet difficulty withdrawal requirements. Then, in 2020, the DOL finalized the new rules for electronic disclosure of retirement plans. It now appears that the DOL is trying to find a balance between the rise of electronic communication and cybersecurity measures.
Disputes arising from the Employee Retirement Income Security Act of 1974 on cybersecurity threats have highlighted the duty of the plan administrator to carefully select and supervise service providers. While this is an area with limited litigation so far, so far employers have behaved well, with cases often dismissed. In an order dated February 8, 2021, granting the motion of an employer, the U.S. District Court for the Northern District of Illinois found that the employer could not have breached his duty. to carefully select the registrar, because all cybersecurity incidents occurred after the date the employer initially hired the registrar and before hiring it. The court concluded that the cybersecurity incidents that occurred prior to the renewal of the meter’s contract did not mean that the meter was an “objectively unreasonable” supplier option. In assessing these events, the court stated that they were “limited in size and scope, did not involve significant slips in security protocols and did not steal funds from customers.”
Employers may also feel comfortable participating in recent class action lawsuits about participants ’data usage, including names, contact information, and Social Security numbers. The court determined that this information, when held by plan trustees, generally does not constitute an ERISA plan asset. This participation closes the door to various causes of ERISA action, such as claims of prohibited transactions, on the use and transfer of information by participants. In the case, the registrar would have used the contact information of plan participants to sell other products to participants, such as credit cards, individual retirement accounts, and life insurance. Plaintiffs had attempted to prosecute breach of fiduciary duty and prohibited claims for transactions based on the use of information from plan participants. In granting the dismissal, the U.S. District Court for the Southern District of Texas examined the two regulations that define the plan’s assets as contributions from plan participants and investments and found that neither referred to the plan. “data”, a conclusion supported by previous precedents.
The DOL Good Practice Guide includes many specific points of action. Below are several of the DOL’s recommendations.
- Create and maintain well-documented cybersecurity programs. The DOL advises plan and service providers to implement robust programs managed by cybersecurity teams managed at the senior executive level (e.g., by information security agents). The DOL guidelines include a recommendation that independent external auditors review these programs annually. The guide also states that cybersecurity programs must address access controls, physical security, incident response, and cybersecurity training, as well as the technical aspects of data privacy: data backup, data deletion. , system operations, network security and monitoring, firewalls, intrusion detection, antivirus software, patch management, multi-factor authentication, and encryption.
- Carry out annual risk assessments and / or third-party audits. The DOL notes that risk assessments should identify weaknesses in existing systems and controls. In addition, assessments should analyze the extent to which the risks and effectiveness of the response to any previous year’s incident were identified. The guide also states that cybersecurity teams should update their programs to address identified weaknesses and respond to changes in technology, data privacy regulations, and the nature of cybersecurity threats. These evaluations may be outsourced to impartial third party auditors. The DOL advises employers to keep sufficient documentation of audits and test reports, files and supporting documents from third parties, including records of corrective action taken in response to audit findings.
- Establish strong access controls. Access to plan participants ’data should be limited based on a“ need-to-access principle ”. The DOL recommends reviewing access privileges at least every three months, including disabling or deleting inactive accounts. Users who have access to participant data should have to use multi-factor authentication, including complex and unique passwords. A cybersecurity program should address the control of the activity of authorized users.
- Require annual risk assessments for all external service providers (and their service providers). In the guide, DOL encourages plans to negotiate with all service providers, including cloud storage providers, to require annual risk assessments or third-party security audits from any of your service providers that have access to the data of the participants. All audit documentation should be provided in the plans as part of the annual cybersecurity review processes of service providers. The cybersecurity teams in the plans should identify the minimum protections that service providers must meet.
- Maintain system development lifecycle (SDLC) programs. An SDLC program should implement controls to confirm participants ’loan applications, withdrawals, and distributions. The DOL suggests that these controls may include sending alerts to participants through a variety of communication methods after the account information has changed, requiring waiting periods before any account requests can be processed if the information has changed recently and they require various forms of validation for any multiple distributions without rollover.
The DOL also published separate guidelines on the prudent recruitment of service providers, highlighting the importance of this duty for ERISA plan sponsors. Plan sponsors may consider the following issues raised by the DOL guidelines:
- How do the information security rules and policies of the service provider compare with those of other financial institutions? The DOL advises that the contract with the service provider “requires” continued compliance with cybersecurity and information security standards “.
- Does the service provider receive annual audits from third parties and is it willing to share audit reports with customers?
- Has the service provider had public security incidents or legal procedures related to cybersecurity?
- How has the service provider responded to past violations, if any?
- Does your service provider have insurance to cover losses caused by cybersecurity breaches? The DOL advises seeking a policy that protects internal threats (such as misconduct from employees or contractors) as well as external ones.
Due to the constantly evolving nature of cybercrime, DOL guidelines suggest that plan sponsors maintain cybersecurity policies with routine reviews and updates to keep abreast of technological changes. The publication of the guide by DOL may indicate that the agency will pay more attention to cybersecurity in future plan audits.
The content of this article is intended to provide general guidance on the subject. You need to seek specialized advice on your specific circumstances.
POPULAR ARTICLES ON: Employment and Human Resources in the United States
New York State enacts an innovative HERO law
Lewis Brisbois Bisgaard and Smith LLP
New York, New York (May 13, 2021) – After a valuable year of various executive orders dealing with worker safety issues arising from the COVID-19 pandemic …