Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

New York

Washington, D.C.

On April 14, 2021, the Department of Labor (DOL) issued guidance regarding retirement plan cybersecurity in the form of best practices for retirement plan service providers, best practices for the selection of service providers with strong cybersecurity practices, and online security tips for participants. While the DOL stopped short of providing any analysis or discussion of the standards that plan fiduciaries must satisfy and did not provide any safe harbor relief to retirement plans, the guidance is a welcome development for plan sponsors and service providers alike.

contentpilot/introduction

core/heading

The issue of cybersecurity has garnered increased attention in recent years with the proliferation of cybersecurity attacks on individuals, private companies and governments. Given the nearly $10 trillion held in retirement plans, retirement plans are high-profile targets for hackers and other unscrupulous actors. This issue has been underscored by several pending lawsuits involving bad actors who allegedly were able to access participant accounts and obtain significant distributions due to lax security protocols employed by retirement plan service providers. Various industry groups and providers have repeatedly sought clarity from the DOL regarding the standards (if any) that apply but the DOL had remained silent on the issue until now.

core/paragraph

In February 2021, the Government Accountability Office (GAO) issued a report entitled “<a href="https://www.gao.gov/products/gao-21-25" target="_blank" rel="noopener">Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans</a>.” In it the GAO noted that retirement plan administration often involves multiple parties that may have a need to use or disclose sensitive personally identifiable information (PII) of plan participants. While many of the parties involved may be subject to established security standards—such as financial institutions—many are not. The GAO also noted that the DOL had not, prior to the recent best practices guidance, provided any clarity on the standards that apply, noting that:

“Federal law nevertheless requires plan fiduciaries to act prudently when administering plans. However, the Department of Labor (DOL) has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty. Further, DOL has not established minimum expectations for protecting PII and plan assets.”

The GAO made two recommendations based on its research and review:

“GAO is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC [defined contribution, e.g., 401(k)] plans and to establish minimum expectations for addressing cybersecurity risks in DC plans.”

The DOL issued three pieces of guidance: (1) cybersecurity program best practices for service providers, (2) tips for plan sponsors to hire service providers with strong cybersecurity practices, and (3) online security tips directed at plan participants to safeguard their accounts.

Retirement Plan Service Provider Best Practices

The service provider guidance discusses 12 best practices that should be adopted by retirement plan service providers in connection with cybersecurity:

core/list

For plan sponsors of group health plans, the best practices should be familiar as they are similar in many ways to the security requirements that apply to electronic protected health information under HIPAA. The best practices—like HIPAA’s security requirements—are designed to ensure the confidentiality, integrity and accessibility of sensitive information.

While these best practices are directed at retirement plan service providers, they impact plan sponsors in two primary ways. First, plan sponsors often provide services to their retirement plans and may access, store and disclose PII in connection with providing administrative services to the retirement plan. As a result, plan sponsors should apply these best practices to their internal retirement plan activities.

Second, the DOL’s enforcement authority extends to plan fiduciaries who have responsibility to prudently select and monitor plan service providers, but not directly to non-fiduciary service providers. As a result, plan fiduciaries should implement the best practices when selecting and monitoring plan service providers.

Tips for Hiring Service Providers with Strong Cybersecurity Practices

As noted above, among other obligations, plan fiduciaries must prudently select and monitor their service providers, including their cybersecurity practices. To aid plan fiduciaries in discharging this obligation, the DOL provided tips for hiring service providers with strong cybersecurity practices. The DOL recommends that plan sponsors—

Recognizing that a plan sponsor’s means for enforcement of service provider cybersecurity best practices will be largely contractual, the DOL recommended several contractual provisions. Specifically, the DOL recommended that plan sponsors pursue provisions that (i) require ongoing compliance with cybersecurity and information security standards, (ii) require service providers to annually obtain a third-party audit to determine compliance with cybersecurity and information security policies and procedures and permit the plan sponsor to review the results, (iii) define the service provider’s confidentiality obligations including how the service provider may use and disclose confidential information and the standard of care that will apply, (iv) impose breach notification obligations including the timeframe for notification and the service provider’s obligations to investigate the breach and address the cause, (v) require compliance with all applicable record retention and destruction, privacy and information security laws, and (vi) require insurance coverage that would cover losses resulting from cybersecurity breaches or incidents. The DOL also recommended that plan sponsors beware of provisions that limit the service provider’s responsibility or liability for security breaches.

The DOL made clear that its list of recommended contractual provisions is not exhaustive. Indeed, the DOL mentioned in its service provider best practices guidance additional contractual provisions that should be pursued, including (i) provisions establishing the service provider’s access control policies and use of multi-factor authentication, and (ii) provisions establishing the service provider’s encryption policies and procedures.

Online Security Tips for Plan Participants

Finally, recognizing that participants also play an important role in the security of their account information, the DOL issued online security tips for participants, which include—

Plan sponsors should consider integrating the online security tips in future educational campaigns directed at plan participants and in participant communications.

While the DOL guidance is a welcome development, many unanswered questions remain. For instance, the DOL did not discuss the basis for its conclusory statement that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks,” or establish minimum expectations for fiduciaries charged with the selection and monitoring of service providers and ensuring the confidentiality, integrity and accessibility of PII. The DOL also did not address the issue of whether plan data is a plan asset.

Despite the many questions that remain, the guidance provides a helpful roadmap for cybersecurity practices. As a result, plan sponsors should carefully consider the guidance and its implications for their retirement plans and service providers, review current practices and service provider arrangements, and work with counsel to implement the recommended best practices as appropriate.

Our Employee Benefits &amp; Executive Compensation and Privacy &amp; Cybersecurity practice groups can assist as you work through these steps.

Edward C. Redder 614.469.3258 <a href="mailto:Edward.Redder@ThompsonHine.com">Edward.Redder@ThompsonHine.com</a>

Craig A. Foster 614.469.3280 <a href="mailto:Craig.Foster@ThompsonHine.com">Craig.Foster@ThompsonHine.com</a>

Brian L. Gaj 216.566.5931 <a href="mailto:Brian.Gaj@ThompsonHine.com">Brian.Gaj@ThompsonHine.com</a>

or any member of our <a href="https://www.thompsonhine.com/services/employee-benefits-amp-executive-compensation">Employee Benefits &amp; Executive Compensation</a> group.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Employee_Benefits_Update_-_DOL_Issues_Much-Anticipated_Retirement_Plan_Cybersecurity_Guidance.pdf

DOL Issues Much-Anticipated Cybersecurity Guidance

Services