Earlier this month, the U.S. Department of Labor (the “DOL”) issued informal guidance outlining “best practices” for managing the cybersecurity risks facing employer-sponsored retirement plans.  Although the DOL has previously stated generally that plan fiduciaries must ensure systems are in place to protect participant data, this guidance marks the first time the DOL has directly addressed cybersecurity in this context.

The most notable portion of the guidance for plan sponsors and fiduciaries are the DOL’s Tips for Hiring a Service Provider with Strong Cybersecurity Practices. This guidance outlines both: (i) the questions plan fiduciaries should ask potential plan service providers about their cybersecurity practices; and (ii) the contract provisions related to cybersecurity that plan fiduciaries should include in their service provider agreements.

Cybersecurity Questions for Plan Service Providers.  The DOL guidance states that ERISA requires plan fiduciaries to protect plan participants and assets from cybersecurity threats by selecting service providers with strong cybersecurity practices.  To meet this obligation, the guidance provides that plan fiduciaries should consider the following when evaluating a plan service provider:

• the service provider’s security standards, practices and policies, and audit results, as compared to industry standards;
• how the service provider’s security practices have been implemented and validated;
• the service provider’s track record in the industry (for example, by reviewing public information about data security incidents and litigation);
• whether the service provider has experienced past security breaches and how the service provider responded; and
• whether the service provider has any insurance policies that would cover cybersecurity and identity theft breaches, and the terms and limits of that coverage.

Recommended Cybersecurity Contract Provisions.  The DOL guidance also provides that the services agreement with the service provider ultimately selected should require ongoing compliance with cybersecurity standards.  While not hard requirements for every services agreement, the guidance recommends that the agreement include terms:

• requiring the service provider to obtain a third-party audit of its security practices annually and allowing plan fiduciaries to review the audit results;
• outlining the service provider’s obligations to protect and limit its use and disclosure of participant’s personal information, including compliance with all applicable laws;
• establishing specific deadlines and terms for notifying plan fiduciaries of a data breach and assisting with the related response; and
• requiring the service provider to maintain adequate cybersecurity and identity-theft insurance coverage.

The DOL guidance also warns that plan fiduciaries should try to avoid contract provisions that limit the service provider’s responsibility for security breaches.

Next Steps.  Plan fiduciaries should consider (i) incorporating the DOL’s suggested cybersecurity questions into any future RFPs for plan service providers, and (ii) including the DOL’s recommended contract provisions in the services agreement with the provider ultimately selected.

Notably, current plan service providers may be operating under an outdated agreement that does not adequately address cybersecurity risks.  Plan fiduciaries should consider reviewing, and possibly negotiating changes to, these agreements in light of both the DOL’s recent guidance and the increased focus on data security in retirement plan litigation.

In addition, while the guidance is directed to retirement plan fiduciaries, the fiduciary principles outlined in the guidance would also appear to be applicable to ERISA-covered welfare plans (although the application of this guidance in the welfare plan context is not entirely clear, particularly in light of the specific security requirements under HIPAA).

For additional information, please contact your Employee Benefits and Executive Compensation counsel at Smith, Gambrell & Russell, LLP.