Watch The Recording
Join Two West and Endeavor Retirement as we help plan sponsors understand and comply with the strict legal obligations that apply to plan fiduciaries under ERISA as well as applicable state laws. Best practices suggest attending at least one fiduciary training session per year.
Plan Sponsor Quick Guide to Cybersecurity
Cybersecurity breaches are an escalating threat, particularly for ERISA-covered plans, which hold vast assets and sensitive personal data, making them prime targets for cybercriminals. The rise in lawsuits against both service providers and plan sponsors for failing to protect participant data highlights the urgency of this issue.
According to the Department of Labor (DOL), plan fiduciaries must act prudently and in the best interest of plan participants and beneficiaries by taking appropriate measures to mitigate cybersecurity risks. This responsibility is now a fiduciary obligation, emphasizing the critical need to safeguard against cyber threats.
A notable case, Walsh v. Alight Solutions LLC No. 21-3290 (7th Cir. 2022) underscores the importance of robust cybersecurity measures for plan service providers and demonstrates the DOL’s commitment to enforcing these standards. This case serves as a stark reminder of the legal and ethical imperatives to protect participant data.
Let’s Get Started
The DOL issued guidance in 2021 and again in 2024 related to cyber security. As you review the DOL guidance (see below) and prepare to implement a cybersecurity program or test an existing program, consider the information below as it relates to your plan-related personally identifiable information (PII). This self-assessment may also assist fiduciaries in planning ahead for the next annual large plan audit, DOL inquiry or litigation:
- Educate Plan Fiduciaries:
- Have the plan’s fiduciaries engaged in training (e.g., documenting their review of this guide or other materials) related to the DOL’s cybersecurity guidance?
- Where the plan’s fiduciaries lack the expertise to understand the DOL’s cybersecurity guidance, have the plan’s fiduciaries hired outside experts to assist?
- Does the plan have insurance to cover cybersecurity breaches related to the plan?
- Gather Relevant Information:
- Have the plan’s fiduciaries undertaken an inventory of all plan records and participant data, including PII (collectively, plan data) that is created, utilized or disclosed?
- Have the plan’s fiduciaries taken inventory of and documented all the service providers that have access to plan data?
- Conduct an Objective Assessment and Document the Decision:
- For each service provider, conduct an objective analysis and compare based on what is reasonable. Be sure to analyze and document each provider independently and list the rationale for your analysis. If a service provider cannot provide the requested information for reasons such as confidentiality or cybersecurity risk to the business, be sure to document the responses and make a determination as to whether the service provider’s response was legitimate.
- Does each service provider demonstrate that their program enables them to:
- Identify risks and protect assets, information and systems
- Protect each of the necessary assets, data and systems
- Detect and respond to cybersecurity events
- Recover from a cybersecurity event
- Disclose the event
- Has each service provider’s program met the following criteria:
- Approval by the service provider’s senior leadership
- Terms are effectively explained to users
- Annual review by an independent third-party auditor who confirms compliance
- Documentation of framework(s) they use to assess the security of their systems and practices
- Based on your analysis, determine if changes to existing contracts with your service providers are necessary.
- If you determine that existing contracts are not sufficient but your service provider refuses to make any changes, you may need to find a new service provider.
- Consistently Revisit as Needed:
- For each service provider, have they reported any material updates to the information initially provided?
- For each service provider, are they reporting back annually and allowing you to document your review based on new industry standards or knowledge?
Next Steps for Plan Sponsors
Step 1: Review the three pieces of guidance issued by the DOL and document your review.
- Tips For Hiring a Service Provider with Strong Cybersecurity Practices:
- Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
Step 2: Review Webinar Training.
- Ensure the plan sponsor webinar is viewed and documented in your fiduciary training file
Step 3: Service Provider Check-In.
- Ask service providers and recordkeepers about their approach to cybersecurity.
- Review, document, and store the information that was provided.