Revisiting the Department of Labor’s Cybersecurity Guidance – Some Additional Thoughts for Employers
March 15, 2023
In 2021, the Department of Labor issued new guidance (“2021 guidance”) that set forth “best practices” for ERISA plan sponsors with respect to cybersecurity. The guidance was broken into three sections: 1) Best practices for choosing a service provider; 2) Best practices for service providers; and 3) Cybersecurity tips for individuals.
While presented officially as “best practices” and not as a set of requirements, we noted at the time that DOL appeared to be establishing its expectations for plan sponsors with respect to their service providers and what it might expect to see in place in the event of an audit. To that end, we have begun to see related cybersecurity questions appear on actual DOL audit questionnaires intended for employers. For example, a recent set of questions asked the employer being audited for the following information:
- Documents sufficient to describe Password protocols for participant Plan accounts, including the number and type of characters, the frequency with which it can be changed or need to be changed, and the complexity required;
- Documents sufficient to describe the encryption protocols for Plan data including firewalls, antivirus software (including subscriptions), and data backup;
- Brief description how Plan Sponsor access Plan’s data for entering information;
- Names and titles of persons who have access to Plan data and extent of their access, i.e., census, payroll, participant information, etc.;
- Documents pertaining to any cybersecurity training for the Plan Sponsor’s employees and its fiduciaries;
- A brief narrative describing any past cybersecurity breaches involving the Plan and its participants including the extent of the breach and changes implemented to prevent future cybersecurity violations;
- Cybersecurity Liability Policy and related documents, if applicable;
- Documents provided to the Plan Sponsor by service providers in regards to cybersecurity protocols for maintaining Plan data;
- Copies of any documents distributed to Plan participants encouraging cybersecurity awareness; and
- Documents pertaining to any changes or updates to the basic Plan Documents or Summary Plan Documents relating to cybersecurity protections, assessments, and internal controls.
This set of questions tells us some things and raises other questions. It tells us that the DOL does, in fact, expect that plan sponsors take cybersecurity seriously – many of the issues it raised in the 2021 guidance are now showing up on actual audits. But not all these audit questions appear to stem directly from the guidance. For example, the 2021 guidance said nothing about procuring cybersecurity insurance (although that could easily be considered a logical step for anybody taking the guidance seriously). Secondly, while the 2021 guidance was primarily geared towards service providers (the focus was on how plan sponsors should select/audit their service providers and on the types of safeguards service provides should have in place), the DOL audit questions appear directed at the employers themselves. Should employers answer these questions on behalf of their plan service providers? Or should they be implementing these requirements themselves?
The big unanswered question these audit questions raise is whether the DOL intends to penalize plans if they conclude the plan has not done enough to protect against cybersecurity threats, and can they even do so? On the one hand, given that the 2021 guidance was issued as best practices, not regulatory commands, it seems unlikely the DOL could penalize a plan for not following some specific step in those guidelines. On the other hand, if the DOL believes the plan has not taken cybersecurity seriously overall, it’s not impossible to see it requiring specific corrective action under ERISA’s fiduciary duty requirements or some similar general obligation to protect the plan and its participants.
So does that mean that employers should now go out and implement all of the DOL guidelines exactly as written to protect themselves in the event of an audit? Not necessarily, but we think it does make sense for employers to pay more attention to cybersecurity issues as they apply to their benefit plans and plug any obvious gaps in their existing practices. The good news is that many of the DOL best practices involve actions the employer may already be taking to protect against cybersecurity threats to its overall business – the employer just hasn’t thought about or documented how those existing practices already apply or can be extended to cover their benefit plans. Same with HIPAA privacy and security – many of the things an employer must do to properly implement HIPAA privacy and security requirements for the group health plan are applicable to other benefit plans not subject to HIPAA and might go a long way to satisfying the DOL’s concerns in an audit if they were expanded slightly. The goal should be to be able to give enough positive responses if the employer is subject to a DOL audit to satisfy the DOL that the employer is taking the issue of cybersecurity seriously.
To that end, we believe there are several practical implications for employers:
- Employers as plan sponsors should be taking reasonable steps to implement cybersecurity practices within their organizations to protect any plan data that is stored/accessed internally. And their vendors/service providers should separately be implementing these requirements for the data they handle.
- It would be prudent for employers to comprehensively review their existing IT/security practices in light of the 2021 guidance and DOL audit questions and document how those existing practices are applicable to their benefit plans to ensure that they are prepared to respond to these inquiries both on behalf of their service providers and on behalf of their own organization.
- While HIPAA compliance efforts may not address all ERISA plans sponsored by an employer, they will provide a meaningful framework to apply to any plans that fall outside HIPAA’s scope. Therefore, if employers have not yet addressed HIPAA’s privacy and security requirements, including developing written policies and procedures and conducting a HIPAA security risk analysis, they should prioritize this. Benefit Comply has services that can assist employers in this effort.
- The third section of the 2021 guidance focused on best cybersecurity practices for participants/individuals. While not explicit, there may be an expectation that plan sponsors communicate these best practices to individuals via some sort of notice. Indeed, this section of the guidance was written as a two page summary directed at plan participants themselves and could easily work as a model notice to provide to employees, e.g., with an annual notices packet or in a benefits enrollment booklet or as part of an organization’s existing security awareness training initiatives Employers should look at the list of communications and compare it to what it may already be communicating to its employees/plan participants. Many of these practices parallel what companies may already be communicating to employees through things like Acceptable Use Policies.
It seems clear in this case that the DOL has used the 2021 guidance to communicate its expectations for how employers and their vendors should be safeguarding their plan data. Luckily, ensuring compliance with these expectations should not be an entirely new undertaking. After reviewing existing IT security efforts and HIPAA security compliance efforts, employers will likely find that many of the 2021 guidance “best practices” are already being addressed to some extent. But this is a good opportunity to deal with any gaps. And for those employers who have not yet undertaken compliance efforts with respect to HIPAA privacy and security, now is definitely the time to address those requirements.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.