Cybersecurity Best Practices For ERISA-Covered Retirement Plans

Cathy Kelaghan
April 23, 2021

The Department of Labor’s Employee Benefits Security Administration (“EBSA”), on April 14, 2021, issued long awaited guidance for employee retirement plans regarding cybersecurity.  EBSA acknowledges that ERISA-covered plans “often hold millions of dollars or more in assets and maintain personal data on participants” and that plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.  The guidance is available on EBSA’s website and includes three sets of materials:  (1) Cybersecurity Program Best Practices; (2) Tips for Hiring a Service Provider with Strong Cybersecurity Practices; and (3) Online Security Tips.  The Online Security Tips is for plan participants so this article will focus on the first two items.

Cybersecurity Program Best Practices

These best practices prepared by EBSA are for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries as they select service providers.  The Cybersecurity Program Best Practices include:

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past security incidents.

The EBSA provides specific detail on each of these items which gives recordkeepers, service providers and plan fiduciaries guidance as they develop their own policies and procedures. 

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

Under ERISA, plan fiduciaries are required to prudently select and monitor service providers.  This guidance provides direction to assist in choosing service providers that follow strong cybersecurity practices.  Here are the EBSA tips:

1.  Ask about the service provider’s information security standards, practices, and policies, and audit results, and compare them to the industry standards adopted by other financial institutions.
2. Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.  Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor’s services.
4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participant’s account).
6. Make sure your contract with the service provider requires ongoing compliance with cybersecurity and information security standards, responsibility for security breaches, and other contract provisions that enhance cybersecurity protection for the plan and participants such as reporting requirements, use and sharing of information, and records retention. 

This new EBSA guidance will help service providers and plan fiduciaries implement appropriate cybersecurity practices to safeguard plan data.

As always, Stall Legal is available to assist and answer any questions you may have.