since issuing its first cybersecurity guidance in 2021, the department of labor (dol) has laid out what it expects plan sponsors to do. Plan sponsors should now do it.
It appears that cybersecurity will be part of all dol retirement plan audits, and clear to the agency which plans fall short.
The work requirement to follow all the dol’s cybersecurity guidance is substantial. Many organizations don’t have the resources to comply fully, or they don’t feel an urgency to put their resources toward it, said jon meyer, chief technology officer at captrust in raleigh, north carolina.
“the dol’s investigators are auditors first, and they are going to say, ‘show me what your policy is, and then show me that you live up to your policy,’” meyer said. “the hard part for the employer is to show that it does live up to its policy. People get into trouble when they copy a cybersecurity policy from another organization or get it off the internet, but they don’t actually execute on that policy.”
Six experts spoke with napa net about what they think the dol will expect from plan sponsors with their cybersecurity policies and procedures.
protecting the assets
Erisa, enacted in 1974, does not explicitly address a fiduciary responsibility for cybersecurity. It’s not surprising, since people didn’t think much about cybersecurity in the 1970s, said allison itami, a washington, d.C.-based principal at groom law group.
“but obviously, there is a fiduciary duty to make sure that the plan assets are used for the payment of benefits and plan expenses,” itami added. “part of that is protecting those assets from hackers and fraud.”
Erisa doesn’t say anything directly about a fiduciary responsibility for cybersecurity, agreed stephen wilkes, san francisco-based chief legal officer and partner at the wagner law group. But look at erisa’s fiduciary principles of loyalty and prudence, he said, and it is not hard to stretch those to say that a fiduciary must protect plan participants’ accounts in the cyber realm.
With hacking and fraud attempts increasing, it’s not surprising that the dol started asking plan sponsors facing an audit to supply documentation relating to any cybersecurity or information security programs that apply to the data of that plan.
Now, dol investigators are deciding what to do with all the cybersecurity information submitted by plan sponsors, itami said. She expects cybersecurity to start becoming a part of all retirement plan audits, rather than the dol doing cybersecurity-specific audits, and she added that the dol’s cybersecurity guidance also applies to health and welfare plans.
“I think the dol is now trying to figure out how to develop audit guidelines for these cybersecurity issues,” said joseph lazzarotti, a principal at law firm jackson lewis p.C. In berkeley heights, new jersey. “if I had to guess, I also think that those guidelines will end up being part of every dol retirement plan audit.”
Plan sponsors are gradually getting the message about their cybersecurity responsibilities, wilkes said. Many are with organizations that already have an enterprise-wide cybersecurity strategy, and sponsors can build on that base in developing their retirement plan cybersecurity protections.
“the added layer here is, on top of what their organization is doing already, what are the additional cybersecurity responsibilities they have with regard to the retirement plan itself?” wilkes added.
mitigating risk externally
For years, major financial institutions that work on retirement plans have invested a lot of time and money to build and maintain safeguards that prevent bad actors from stealing participant assets or data. But the assumption some sponsors make that their plan uses well-known vendor x, and so they can simply trust that this large vendor must maintain strong cybersecurity protections, is faulty, lazzarotti said. “that’s not what the dol has in mind,” lazzarotti added. “a plan fiduciary still has to act prudently: do their due diligence, document that they’ve done their due diligence, and make prudent decisions.”
Before implementing a program to monitor plan providers’ cybersecurity, meyer suggested that a sponsor first consider all the plan providers it utilizes and what type of data each provider has access to for that plan. This helps the sponsor to gauge the level of cybersecurity risk at each provider and then make plans accordingly for the intensity of ongoing monitoring needed for that provider’s cybersecurity.
“it is very important to dig into who has got what data, and how sensitive is that data?” meyer said.
Does a provider only have access to firm-level data for the employer? Does it have access to plan-level data, such as on the investment lineup? Or does it have access to specific, sensitive data about individual participants?
“the plan sponsor needs to come up with a risk-based approach to document what steps it took with each of the plan’s providers to assess the provider’s cybersecurity,” lazzarotti said.
For a lower risk level, that could mean someone from the employer’s it staff talking to someone from the provider’s it staff about its cybersecurity provisions and then writing a memo assessing their reasonableness.
For providers with a moderate risk assessment, it could mean developing a comprehensive cybersecurity questionnaire and requiring providers to complete it, as well as carefully reviewing a provider’s independent cybersecurity audit. He said that more intensive monitoring could include additional steps such as requiring that the provider regularly have “penetration” testing done to determine if the provider’s cybersecurity protections are actually working to thwart unauthorized access.
“from an employer perspective, the main thing that they can do is to monitor, monitor, monitor, to show that they’re doing their job,” said frank palmieri, a partner at law firm palmieri & eisenberg in princeton, new jersey.