Cybersecurity and Retirement Plans: Guidance, Investigations and Litigation

By Fred Reish

Cybersecurity has emerged as a top issue for retirement plans, and particularly for participant-directed plans such as 401(k)s. After years of relative silence on fiduciary responsibility about cybersecurity protections for plan assets and participant data, the Department of Labor (DOL) has issued three pieces of guidance to help plan fiduciaries, such as 401(k) committee members, understand their responsibilities and suggest steps that fiduciaries should take. That guidance is the subject of this article.

To emphasize the importance of cybersecurity, the DOL has recently announced that it will be investigating retirement plans about their cybersecurity issues practices. In fact, the DOL has already started conducting those investigations. And plaintiffs’ attorneys are already suing plan fiduciaries and service providers in cases where money was stolen from participants’ accounts by cyber thieves. (For more on the litigation, see here.)

In April of this year, the DOL announced that it was issuing three pieces of guidance for plan fiduciaries and service providers. US Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, plan participants | U.S. Department of Labor (dol.gov)

The guidance is in the form of “Tips” and “Best Practices”, which means that the DOL is providing general guidance about its expectations. While those “suggestions” do not have the status of a law or regulation, it is likely that the DOL will assert in its investigations (and perhaps in litigation) that at least some of the suggestion steps are required for fiduciaries to engage in a prudent process.

The DOL’s guidance is:

• Tips For Hiring A Service Provider With Strong Cybersecurity Practices.

• Cybersecurity Program Best Practices.

• Online Security Tips.

The Tips for Hiring a Service Provider are intended for plan sponsors, for example, members of a 401(k) plan committee. The Tips begin with:

As sponsors of 401(k) and other types of pension plans, business owners often rely on other service providers to maintain plan records, and keep participant data confidential and plan accounts secure. Plan sponsors should use service providers that follow strong cybersecurity practices.

To help business owners and fiduciaries meet their responsibilities under The Employee Retirement Income Security Act (ERISA) to prudently select and monitor such service providers, we prepared the following tips for plan sponsors of all sizes:

As the bolded language says, the DOL’s position is that, as a part of their legal duty to prudently select and monitor service providers, fiduciaries must obtain and evaluate information about the cybersecurity practices of their service providers, including their recordkeepers. The Tips then list a number of inquiries that plan fiduciaries should make, including:

• Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity. You can have much more confidence in the service provider if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.

• Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.

• Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.

One approach to demonstrating a prudent fiduciary process for evaluating the cybersecurity practices of service providers would be to send the service provider (e.g., the plan’s recordkeeper) these Tips and ask for responses to the DOL’s suggested questions. That request will not come as a surprise to recordkeepers since they almost certainly have already received numerous similar requests from plan sponsors and consultants.

The Cybersecurity Program Best Practices are intended for service providers, for example, recordkeepers. They list a number of steps that service providers should take to mitigate cybersecurity risks. As explained by the DOL: The Employee Benefits Security Administration [of the DOL] has prepared the following best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.

While this piece of guidance is for service providers, the DOL makes it clear, in the bolded language, that plan sponsors should also pay attention to it. In other words, the DOL is taking the position that plan fiduciaries have a duty under ERISA to vet the cybersecurity practices of the plan’s service providers.

In these Best Practices, the DOL lists 12 specific steps that service providers should take. That list includes: Have a formal, well documented cybersecurity program; conduct prudent annual risk assessments; conduct periodic cybersecurity awareness training; encrypt sensitive data, stored and in transit. That is only a partial list. Plan fiduciaries should familiarize themselves with the full list of service provider Best Practices. Then, one approach to fiduciary compliance would be to obtain confirmation from the service providers that they follow the DOL’s 12 Best Practices. After obtaining answers to those questions, an additional step could be to have a virtual meeting with the plan committee and representatives of the recordkeeper to go over the answers and ask any follow up questions needed to understand the responses. That would be evidence of having engaged in a prudent process.

The Online Security Tips are intended for participants. The purpose is to educate participants on basic steps for reducing the risk of fraud and losses to their retirement accounts. For example, some of the tips are to: use strong and unique passwords (with suggestions for how to do that); use multi-factor authentication; beware of phishing attacks (with a list of common warning signs of phishing attacks).

While there isn’t an explicit fiduciary requirement to educate participants about cybersecurity safety, it’s possible that the DOL or plaintiffs’ attorneys could argue that plan fiduciaries have that duty. As a result, and to potentially avoid claims related to cyber theft of participants’ accounts, fiduciaries should consider providing copies of this guidance to their participants at least annually.

Concluding Thoughts

In light of the DOL’s focus on cybersecurity, and the increasing number of lawsuits about participant losses due to cybersecurity breaches, plan sponsors and their committees should take steps to protect themselves. The first step is to familiarize themselves with the issues and the government guidance. The next step is to obtain information from their plan service providers about the protection of participants’ accounts and data. That information should be evaluated to ensure that it is consistent with industry standards. A focused 401(k) advisor can help plan sponsors do that. Finally, plan sponsors should consider an ongoing employee educational campaign about cybersecurity. The regular distribution of the DOL’s Online Security Tips can be a component of that education.

Forewarned is forearmed. The expectations are that plan sponsors and their committees will address these issues in a thoughtful and informed manner.