Cybersecurity Considerations

Art by Tim Bower

ADVISER QUESTION: I am a registered investment adviser [RIA] that assists 401(k) plan committees in selecting and monitoring recordkeepers. I also help committees with searches for new recordkeepers. I understand that the Department of Labor [DOL] recently issued guidance about fiduciaries’ responsibilities regarding service provider cybersecurity practices. What do I need to know in order to assist the committees?

ANSWER: The DOL cybersecurity guidance includes tips for hiring and monitoring plan service providers. While these tips are not mandates, they provide insight into the department’s views on what constitutes a prudent process for cybersecurity practices. As adviser to the committee, you could use these tips as a basis for guiding the committee’s evaluation of how a recordkeeper handles cybersecurity.

The DOL’s guidance “Tips for Hiring a Service Provider With Strong Cybersecurity Practices” identifies a number of factors regarding cybersecurity that a committee should consider to prudently select and monitor the recordkeeper for its plan. These factors fall into three main categories: 1) information about the recordkeeper’s standards, practices and policies; 2) information about the recordkeeper’s track record, including the way it handled any past security incidents and breaches; and 3) suggested provisions to include in the service agreement.

Standards, Practices and Policies

The DOL makes it clear that a plan fiduciary should learn about the recordkeeper’s information security standards, the manner in which those are validated and how they compare to industry standards. For example, the DOL points out that a plan fiduciary should determine whether the recordkeeper conducts annual third-party audits to review and validate its cybersecurity systems and practices and, if so, make sure that the obligation is included in the service contract. Reviewing the audit report, or a summary of the auditor’s findings, would also be helpful; however, the recordkeeper may be reluctant to provide that. In this case, the committee should obtain confirmation that it has cured any deficiencies identified in the audit report. DOL investigations of Employee Retirement Income Security Act (ERISA) plans include a request for information (RFI) about third-party audits of service provider information technology (IT) systems, such as Service Organization Control SOC 1 or SOC 2 reports.

Track Record

The DOL indicates that an evaluation of the recordkeeper’s track record regarding security incidents and breaches is an important part of the prudent process. This includes review of public information about any security incidents and related legal proceedings as well as the recordkeeper’s response to any past security breaches. To assess its responsiveness to a past incident or breach, you may want to review these factors with the committee: whether the recordkeeper acted quickly to address the breach, how it was addressed, the timeliness of communications about the breach, whether losses were restored and steps taken to prevent a reoccurrence.

A committee should obtain confirmation from the recordkeeper that it’s in a financial position to cover losses resulting from cyber liability and privacy breach and should consider asking for that representation in the service contract. As explained in the guidance, one way to cover such losses is through insurance. If the recordkeeper has a policy in place to cover losses from cyber liability and privacy breach, then consider helping your committees understand the coverage.

Contractual Provisions

There are other provisions the DOL suggests an agreement with a recordkeeper contain, including those relating to:

Confidentiality. The contract should include an obligation to protect private information, prevent its use or disclosure without written permission and protect it against unauthorized access, disclosure or misuse.

Response to cybersecurity breaches. The contract should have a provision about how quickly the recordkeeper will provide notice of a cyber incident or data breach and should require the recordkeeper to cooperate in investigating and reasonably addressing the breach’s cause.

Compliance with privacy and security laws. The contract should require that the recordkeeper satisfy all applicable federal, state and local privacy, confidentiality and security laws pertaining to protection of participants’ personal information.

The guidance is about best practices but may turn out to be more than that. The DOL uses these tips in questions it asks in its plan investigations.

Fred Reish is chairman of the financial services ERISA practice at law firm Faegre Drinker Biddle & Reath LLP. Joan Neri, a nationally recognized expert in employee benefits law, is counsel in the firm’s financial services ERISA practice.