April 19, 2021
Authored by: Lisa Van Fleet and Serena Yee
The clouds have been forming on the horizon for years now: from the courts we have seen emerging lines of ERISA litigation asserting fiduciary obligations to protect the privacy rights of participants, and from the regulatory agencies we have heard an acknowledgment of the need for guidance regarding fiduciary responsibility with respect to cybersecurity risks. A call to action for plan fiduciaries came last week from the Department of Labor (“DOL”) in the form of new Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record-Keepers, Plan Participants. See News Release at https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414.
The DOL guidance provides:
- Tips for Hiring a Service Provider With Strong Cybersecurity Practices
- Cybersecurity Program Best Practices for plan fiduciaries, record-keepers and other service providers
- Online Security Tips for participants to help them reduce the risk of fraud and loss to their retirement accounts and report identify theft and cybersecurity incidents
Cybersecurity Governance Programs
Plan fiduciaries who have not yet developed a cybersecurity governance program should do so now, and existing programs should be re-evaluated and updated in light of this guidance. Such cybersecurity governance programs should address all three aspects of the guidance (i.e., development of best practices which include guidelines for hiring service providers and participant education). See Cybersecurity Program Best Practices at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf.
More specifically, the core elements of a strong cybersecurity governance program should include the following:
- Develop, document and regularly monitor and update a formal cybersecurity program
- Conduct annual risk assessments
- Have a