Provider Reviews, Contracts Emphasized in DOL Cybersecurity Guidance

Retirement plan fiduciaries often rely on their service providers to create the electronic systems used to maintain participant data and conduct electronic transactions involving plan assets—so the Department of Labor is paying special attention to these relationships.

More detailed cybersecurity analysis has come out in the seven months since the U.S. Department of Labor (DOL) issued informal guidance on cybersecurity in the retirement plan services industry.

As a refresher, the guidance comes in three forms. The first piece of guidance is tips for hiring a service provider with strong cybersecurity practices and monitoring their activities. The DOL’s Employee Benefits Security Administration (EBSA) recommends asking about a service provider’s security standards, practices and policies, as well as evaluating its track record in the industry.

The second piece of guidance lays out cybersecurity program best practices to help plan fiduciaries and recordkeepers stay on top of their responsibilities to manage cybersecurity risks. The best practices include having a formal, well-documented cybersecurity program; conducting annual risk assessments; clearly defining roles and responsibilities; and conducting periodic cybersecurity awareness training.

Lastly, the DOL issued online security tips aimed at plan participants and beneficiaries who check their retirement accounts online; they are basic rules to reduce the risk of fraud and loss, such as being wary of public WiFi and using strong, unique passwords.

Now that they have had additional time to digest the guidance, a trio of attorneys with the Wagner Law Group—Jon Schultze, Susan Rees and Barry Salkin—has prepared and published some further analysis, packaged in the form of a new law alert shared with PLANADVISER.

The Wagner attorneys say the guidance, while helpful, also leaves many unanswered questions, particularly on cyber breaches involving the theft of assets in a participant’s account and the simple misappropriation of confidential participant information.

“Of interest is that the DOL has been especially careful to warn plan fiduciaries about prudent selection and ongoing monitoring of any service provider who will have access to participant information and assets, noting that plans often rely on such service providers to create the electronic systems used to maintain participant data and to conduct electronic transactions involving plan assets,” the attorneys explain.

In their view, plan fiduciaries may have difficulty achieving full compliance with the DOL guidance because many of the required actions are controlled by their service providers. Adding to the challenge, plan sponsors and service providers often work together under outdated contracts.

“For example, one of the requested items on a DOL audit is ‘all’ documents and communications from service providers relating to their cybersecurity capabilities and procedures,” the attorneys note. “Although it may seem new and difficult to obtain this information and to include it in their contract negotiations, plan sponsors may be aided by the DOL’s making it clear that service providers are not immune from DOL scrutiny, and that the DOL will step in if it appears that a service provider may be responsible for a cyber breach involving an ERISA [Employee Retirement Income Security Act] plan.”

Something else left unanswered in the informal guidance, according to the attorneys, is the bigger question of the allocation of responsibility between a plan sponsor and a service provider in the case of a breach.

“We may have some hints that the DOL considers that a recordkeeper or other service provider that creates and operates the electronic systems may be largely responsible when the system fails to prevent the misappropriation of plan data or assets,” the attorneys say. “In one plan audit, the DOL asks a plan administrator whether their recordkeeper carries cybersecurity insurance, and in its ‘Tips for Hiring a Service Provider,’ the DOL was even more pointed in its advice to plan sponsors.”

In its guidance, the DOL tells plan sponsors to “find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches, including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account.” Furthermore, the DOL suggests the following: “When you contract with a service provider … beware contract provisions that limit the service provider’s responsibility for IT [information technology] security breaches.”

The Wagner attorneys say this seems like “wishful thinking.”

“Even if a service provider fully implements all of the DOL’s best practices, it is likely the service provider will also include language in its agreement to cap its liability in some fashion, either by a low dollar cap on liability for a cybersecurity breach or a provision indicating that it has no responsibility for a cybersecurity loss if the loss was the plan sponsor’s fault or the participant’s fault,” the attorneys warn. “While these caps on liability may not apply in the event of a finding of gross negligence, willful misconduct or intentional wrongdoing, as a practical matter, plan sponsors should take cold comfort from exceptions to exclusionary language of that nature.”

The service providers are themselves in a tough spot, in this respect. As the attorneys explain, there can be no assurance that even a state-of-the-art cybersecurity system cannot be overcome by an expert hacker, and courts have not discouraged claims of liability against service providers, as well as plans, even where the responsibility may be difficult, if not impossible, to prove.

“Nonetheless, it would be appropriate for the relevant plan fiduciary to benchmark contractual provisions limiting liability either in general or for cybersecurity breaches in particular, so that its acceptance of contract language limiting a service provider’s liability is done on a fully informed basis,” the attorneys conclude.

Additional Wagner Law Group law alerts can be found here.