The U.S. Department of Labor (DOL) recently announced new guidance for plan sponsors, fiduciaries, record keepers and participants on best practices for maintaining cyber security. This is the first time the DOL has issued such guidance, and it comes in response to a recent General Accounting Office (GAO) report responding to increased cybersecurity risks to retirement plan participant data and plan assets. If there is one central message to the guidance, it is this: The DOL now considers cybersecurity to be an ERISA fiduciary function. Stated another way, part of the fiduciary decision of the selection and monitoring of service providers requires an evaluation of the service providers’ cybersecurity program.
That is a new responsibility for fiduciaries, although it was probably inevitable. If the DOL hadn’t published guidance, the plaintiff’s bar might have tried to make traction in this area. The good news is that cybersecurity, like other fiduciary decisions, is less about outcome and more about process. If a cyberattack compromises plan participant data, that is not per se evidence of a fiduciary breach (just like a stock market crash is not per se evidence of imprudent investment options). Instead, the key question is what process did the plan sponsor use to evaluate a service provider’s cyber security? How thorough was the plan sponsor’s due diligence?
The GAO report comes in the form of “tips” and “best practices” as described below:
- Tips for plan sponsors and fiduciaries: Guidance on how to prudently select a service provider with strong cybersecurity practices and monitor their activities
- Cybersecurity program best practices for record keepers and other services providers;
- Online security tips for plan participants
While they don’t carry the same weight or are as binding as a regulation would be, they inform the plan sponsor and fiduciary community of how the DOL will evaluate these issues.
We expect that this guidance is the first step in a longer term process. In particular, the DOL may start audit and enforcement initiatives to determine whether plan sponsors and fiduciaries are following these practices. The plaintiff bar also could review this guidance when determining whether to target a particular plan sponsor for a lawsuit. If a breach of security or cyberattack occurs, a fiduciary will have been wise to follow these practices. Accordingly, we recommend that plan sponsors and fiduciaries contact legal counsel who can help navigate and implement a procedural fiduciary action plan. Each sponsor’s situation and relationships with service providers will be unique and thus will require careful review.