In April, the U.S. Division of Labor’s (DOL) Worker Advantages Safety Administration (EBSA) issued
cybersecurity guidance for employee retirement plans. Shortly thereafter, the DOL up to date its audit inquiries to incorporate probing questions for plan fiduciaries about their compliance with “scorching off the press” company tips.
So, what do these inquiries seem like?
In brief, the DOL is asking plan sponsors to provide “all paperwork referring to any cybersecurity or info safety packages that apply to the info of the Plan, whether or not these packages are utilized by the sponsor of the Plan or by any service supplier of the Plan.”
For plan fiduciaries which might be new to cybersecurity and haven’t obtained a DOL audit in the previous couple of months, it will not be clear what paperwork or supplies the DOL is anticipating. The DOL fleshes out its common inquiry with a laundry record of things. Listed here are some examples of these extra particular requests:
All insurance policies, procedures, or tips referring to things like:
The implementation of entry controls and identification administration, together with any use of multi-factor authentication.
The processes for enterprise continuity, catastrophe restoration, and incident response.
Administration of distributors and third occasion service suppliers, together with notification protocols for cybersecurity occasions and using knowledge for any function apart from the direct efficiency of their duties.
Cybersecurity consciousness coaching.
Encryption to guard all delicate info transmitted, saved, or in transit.
The record above is just not full, however it makes clear the DOL is on the lookout for details about what plan fiduciaries are doing to safeguard their very own info and methods to handle privateness and safety, not simply that of their service suppliers.
Some plan fiduciaries may be questioning what ought to insurance policies, procedures, or tips seem like to guard plan knowledge. There are various frameworks to think about when adopting cheap safeguards. Examples embrace steerage revealed by the
National Institute of Standards and Technology, the
New York SHIELD Act, the
Massachusetts data security regulations, the
privacy and security standards under HIPAA, and so on.
Along with insurance policies, procedures, and tips summarized above, the DOL additionally seeks in its audit request copies of different supplies, a few of that are listed under.
“All paperwork and communications referring to any previous cybersecurity incidents.”
Evidently, the DOL wish to uncover whether or not the plan had a previous cybersecurity incident. It’s unclear whether or not this request refers solely to “breaches of safety” or comparable phrases as outlined below state breach notification legal guidelines which require notification, or mere “incidents” that don’t rise to the extent of a reportable breach.
“All paperwork and communications describing safety critiques and impartial safety assessments of the belongings or knowledge of the Plan saved in a cloud or managed by service suppliers.”
Right here the DOL makes a distinction between plan “belongings” and plan “knowledge,” looking for safety critiques and assessments referring to each. Latest litigation referred to as into query whether or not plan knowledge may very well be thought of a “plan asset.” In probably the most latest instances,
Harmon v. Shell Oil Co. (March 30, 2021), the U.S. District Court docket for the Southern District of Texas rejected the argument that plan belongings embrace plan knowledge.
“All paperwork describing safety technical controls, together with firewalls, antivirus software program, and knowledge backup.”
An vital observe right here is that it will not be sufficient to say, “we’re doing this,” or “we now have applied antivirus and firewalls to guard our info methods.” The DOL is on the lookout for paperwork that describe these safeguards and controls.
“All paperwork and communications from service suppliers referring to their cybersecurity capabilities and procedures.”
“All paperwork and communications from service suppliers relating to insurance policies and procedures for accumulating, storing, archiving, deleting, anonymizing, warehousing, and sharing knowledge.”
“All paperwork and communications describing the permitted makes use of of knowledge by the sponsor of the Plan or by any service suppliers of the Plan, together with, however not restricted to, all makes use of of knowledge for the direct or oblique function of cross-selling or advertising services.”
Working with Service Suppliers
The DOL wish to see how plan fiduciaries are speaking with their service suppliers to evaluate service supplier cybersecurity danger, in addition to the paperwork and different supplies from service suppliers regarding the processing of plan knowledge. Importantly, the DOL is not only on the lookout for cybersecurity-related info. The company apparently needs to know the way service suppliers are permitted to make use of plan knowledge.
Plan fiduciaries will wish to consider carefully about their present practices, together with their communications, when choosing and dealing with service suppliers.
No plan fiduciary needs to expertise a DOL audit of their retirement plans, or another audit for that matter. However cybersecurity clearly is a brand new and vital space of curiosity for the DOL and plan fiduciaries should be ready to reply.
Joseph J. Lazzarotti
is an lawyer with Jackson Lewis in Morristown, N.J. © 2021 Jackson Lewis P.C. All rights reserved. Reposted with permission.
[Want to learn more about compensation and benefits? Join us at the
SHRM Annual Conference & Expo 2021, taking place Sept. 9-12 in Las Vegas and virtually.]