Press Release

Bradley attorney Andrew Elbon was quoted in PlanSponsor on the first-ever cybersecurity guidance released by the Department of Labor (DOL) for Employee Retirement Income Security Act (ERISA) plans.

There’s not much new information in the DOL guidance from what had already been suggested by experts -- it has issued common sense best practices that reflect the state of the industry, explained Elbon.

“What’s new is that the DOL has laid out in a thorough manner what it would expect plan fiduciaries to be looking for,” Elbon said. “The DOL is saying, ‘This is a fiduciary issue and here’s a road map.’”

Elbon said he expects plan sponsors seeking providers will issue a request for proposals (RFP) that includes the questions the DOL suggests. He said he imagines the issuance of an RFP would be a one-time thing, but it makes sense to expect current service providers to provide some kind of annual checkup to show how they are continuing to satisfy cybersecurity best practices and to communicate any changes they’ve made. Plan sponsors should also expect a report of incidents.

“To the extent a plan sponsor is doing anything in-house that involves the storage or transmission of ERISA plan and participant data, it should have a person or team, if it doesn’t have an IT [information technology] department, dedicated to ensuring cybersecurity,” Elbon said. “This is for all ERISA plans, not just retirement plans, but also health plans.”

Elbon explained there is a good chance that some plan sponsors are handling data and are not just relying on service providers for the storage or transmission of data. These sponsors should look at their cybersecurity practices and consider whether they want to keep being responsible for handling data. If they continue to take on that responsibility, plan sponsors should consider what they need to change to better protect data and respond to incidents.

“I do a lot of work with HIPAA [the Health Insurance Portability and Accountability Act], and one rule of thumb I’ve tried to convey is if a plan sponsor is in the business of holding on to participant data, it should probably get out of it and rely on service providers that are better equipped to handle cybersecurity,” Elbon said. “Maybe one of the side effects of the [DOL] guidance is giving plan sponsors the impetus to do that. They now have a nice set of guidelines to rely on for evaluating and selecting service providers based on this issue.”

To the extent that plan sponsors have exposure, Elbon said it makes sense that their corporate insurance policies should have cybersecurity provisions.

Plan sponsors should share the DOL’s online security tips with plan participants, he added. Elbon said plan service providers can communicate the tips as well.

“I think this is a very positive development, offering very specific rules of the road to rely on,” he said. “I see this as consistent with a prudent process to select service providers, just as plan sponsors need to have a prudent process to select investments. That is a fiduciary act. It doesn’t mean that if something goes awry, plan sponsors are at fault; it just ensures they do their due diligence.”

The original article, "The DOL’s Cybersecurity Guidance in Practice," appeared in PlanSponsor on May 21, 2021.