Early this spring, the Department of Labor (DOL) announced for the first time cybersecurity guidance for plan sponsors, fiduciaries, record keepers and plan participants. This new guidance is significant for the insights it offers into the DOL’s position regarding the standard of care plan sponsors and fiduciaries should follow in order to meet their responsibilities to prudently select and monitor critical service providers. With the rising frequency of cyber-attacks and the risks these invasions of plan and participant data present, it is important for plan sponsors and fiduciaries to incorporate this guidance regarding cyber threats into their policies, procedures and decision making with respect to the selection and monitoring of service providers.
The DOL cybersecurity guidance comes in three parts: Tips for Hiring a Service Provider; Cybersecurity Program Best Practices; and Online Security Tips. The Online Security Tips are directed primarily at plan participants and largely replicate the advice regularly offered by financial institutions and others. What follows are selected sections from the guidance regarding hiring a service provider and cybersecurity program best practices.
Tips for Hiring a Service Provider
- Ask about the service provider’s information security standards, practices and policies, and audit results.
- Evaluate the service provider’s public information on security incidents and litigation related to vendors' services.
- Ask whether past security breaches have occurred and how the service provider responded.
- Find out whether the service provider has any insurance policies covering losses caused by cybersecurity and identity theft breaches.
- Require the service provider to obtain annually a third-party audit to determine compliance with information security policies and cybersecurity procedures.
- Establish protocols for the use and sharing of information and confidentiality.
- Require the service provider to provide immediate notification of cybersecurity breaches.
- Require the service provider to comply with all records retention and destruction, privacy and information security laws.
Cybersecurity Program Best Practices
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
Although these DOL tips represent guidance and are less authoritative than formal regulations, we strongly recommend that plan sponsors and fiduciaries, if they are not already, follow these tips and incorporate them into a process for not only hiring but also monitoring service providers. Not doing so will accentuate the risks in the event of a DOL audit and could result in potential participant claims of fiduciary breach in the future. So be prepared, because to quote John Chambers, the former CEO of Cisco, there are two types of companies: “those that have been hacked and those who don't know they have been hacked.”