PLANADVISER - July/August 2021 - 39

compliance consult
David Kaleda
Cybersecurity and ERISA
DOL guidance should prompt clients to ask for help with compliance
ON APRIL 14, the Department of Labor (DOL) issued a
cybersecurity guidance package directed at sponsors
of, and service providers to, plans regulated under the
Employee Retirement Income Security Act (ERISA). This
is the first such guidance the department has issued, and
advisers should expect clients to inquire about how to
comply with it. Also, advisers may view the issuance of the
guidance as an opportunity to consult with their clients on
this highly technical compliance matter.
The DOL presented the guidance package
in three separate documents: " Tips for Hiring
a Service Provider With Strong Cybersecurity
Practices, " " Cybersecurity Program Best Practices "
and " Online Security Tips. " The first
two publications address, respectively, what
plan fiduciaries and plan service providers
should consider in evaluating plan-related
cybersecurity policies and procedures. The
third guidance informs plan participants
what steps they can take to protect their plan
benefits from cybertheft. Importantly, the DOL states that
responsible plan fiduciaries have a duty under ERISA to
mitigate their plan's cybersecurity risks.
The three documents are written as tips and best
that a plan fiduciary might hire. Yet, given that DOL investigations
likely will ask how the fiduciary has been addressing
cybersecurity risk, and given recent ERISA breach of fiduciary
duty lawsuits brought by participants whose account
balances were stolen, plan fiduciaries also should consider
evaluating their current service providers.
Additionally, fiduciaries should consider sharing " Online
The three
documents
are written as
tips and best
practices.
Security Tips " with their employees. The guidance provides
some excellent information on how individuals
can take steps to protect their retirement
benefits from cybercriminals. Further,
sharing the tips may help demonstrate procedural
prudence on the part of the fiduciary.
Service providers likely would benefit
from assessing their policies and procedures
in light of both the hiring a service provider
and the program best practices guidance.
Many providers will likely receive inquiries
from plan fiduciaries along the lines of
what the DOL states in the hiring a service
provider guidance, and thus will benefit from preparing for
such inquiries in advance.
The program best practices guidance offers a good overpractices.
However, the DOL's Employee Benefits Security
Administration (EBSA) Office of Enforcement (OE) has been
using the guidance as a tool in its investigations. Since April,
some regional offices have sent information document
requests (IDRs) to plan sponsors in order to secure information
about their plan's, and its service providers', cybersecurity
practices. The IDRs clearly track the guidance, as do
DOL investigators' questions in OE interviews of plan sponsors.
Whether the DOL will take any action on the information
it gleans from such investigations remains to be seen.
However, at a minimum, the agency has put plan fiduciaries
and service providers on notice that it expects them to
focus on cybersecurity policies and procedures.
Given the issuance of the guidance and recent DOL
enforcement activity, fiduciaries and service providers
should evaluate the relevant cybersecurity policies and
procedures accordingly. Plan fiduciaries can use the " Hiring
a Service Provider ... " publication to identify how to evaluate:
1) a service provider's cybersecurity practices, and 2)
certain cybersecurity-related provisions in their contracts
with service providers.
The guidance focuses on evaluating service providers
view of what the DOL sees as effective cybersecurity practices.
Many service providers have taken significant steps
to protect themselves and their clients from cybercrime.
However, in reviewing the guidance, providers can learn
where in particular the DOL, or their clients, have concerns.
In summary, the DOL's cybersecurity guidance is the first
effort the department has made to establish that plan fiduciaries
have certain fiduciary duties in connection with cybersecurity
and protecting plan participants and their employee
benefits. Notably, this duty extends to all employee benefit
plans, not just retirement benefits. Plan fiduciaries and their
providers would do well to carefully review and consider the
application of the guidance. Also, they shouldn't be surprised
if the DOL provides further instruction, possibly in the form
of regulatory or sub-regulatory guidance, about cybersecurity,
in the not too distant future.
David Kaleda is a principal in the fiduciary responsibility practice
group at Groom Law Group, Chartered,
in Washington, D.C. He
has an extensive background in the financial services sector. His
range of experience includes handling fiduciary matters affecting
investment managers, advisers, broker/dealers, insurers, banks and
service providers.
planadviser.com July-August 2021 | 39
http://www.planadviser.com

PLANADVISER - July/August 2021

Table of Contents for the Digital Edition of PLANADVISER - July/August 2021

Publisher’s Note
Data Points
Compliance News
Trends
Proposals That Please
2021 PLANADVISER Small-Plan Services Survey: Small Wonders
‘Like’ Me
Building Out Referral Networks
Look Toward The Future
Now A Fiduciary
Cybersecurity And ERISA
Q&A
PLANADVISER - July/August 2021 - Cover1
PLANADVISER - July/August 2021 - Cover2
PLANADVISER - July/August 2021 - 1
PLANADVISER - July/August 2021 - Publisher’s Note
PLANADVISER - July/August 2021 - 3
PLANADVISER - July/August 2021 - Data Points
PLANADVISER - July/August 2021 - 5
PLANADVISER - July/August 2021 - Compliance News
PLANADVISER - July/August 2021 - 7
PLANADVISER - July/August 2021 - 8
PLANADVISER - July/August 2021 - 9
PLANADVISER - July/August 2021 - Trends
PLANADVISER - July/August 2021 - 11
PLANADVISER - July/August 2021 - 12
PLANADVISER - July/August 2021 - 13
PLANADVISER - July/August 2021 - 14
PLANADVISER - July/August 2021 - 15
PLANADVISER - July/August 2021 - Proposals That Please
PLANADVISER - July/August 2021 - 17
PLANADVISER - July/August 2021 - 18
PLANADVISER - July/August 2021 - 19
PLANADVISER - July/August 2021 - 2021 PLANADVISER Small-Plan Services Survey: Small Wonders
PLANADVISER - July/August 2021 - 21
PLANADVISER - July/August 2021 - 22
PLANADVISER - July/August 2021 - 23
PLANADVISER - July/August 2021 - 24
PLANADVISER - July/August 2021 - 25
PLANADVISER - July/August 2021 - 26
PLANADVISER - July/August 2021 - 27
PLANADVISER - July/August 2021 - ‘Like’ Me
PLANADVISER - July/August 2021 - 29
PLANADVISER - July/August 2021 - 30
PLANADVISER - July/August 2021 - 31
PLANADVISER - July/August 2021 - 32
PLANADVISER - July/August 2021 - 33
PLANADVISER - July/August 2021 - Building Out Referral Networks
PLANADVISER - July/August 2021 - 35
PLANADVISER - July/August 2021 - Look Toward The Future
PLANADVISER - July/August 2021 - 37
PLANADVISER - July/August 2021 - Now A Fiduciary
PLANADVISER - July/August 2021 - Cybersecurity And ERISA
PLANADVISER - July/August 2021 - Q&A
PLANADVISER - July/August 2021 - Cover3
PLANADVISER - July/August 2021 - Cover4
https://www.planadviserdigital.com/planadviser/july_august_2021
https://www.planadviserdigital.com/planadviser/may_june_2021
https://www.planadviserdigital.com/planadviser/march_april_2021
https://www.planadviserdigital.com/planadviser/january_february_2021
https://www.planadviserdigital.com/planadviser/november_december_2020
https://www.planadviserdigital.com/planadviser/september_october_2020
https://www.planadviserdigital.com/planadviser/july_august_2020
https://www.planadviserdigital.com/planadviser/may_june_2020
https://www.planadviserdigital.com/planadviser/march_april_2020
https://www.planadviserdigital.com/planadviser/january_february_2020
https://www.planadviserdigital.com/planadviser/november_december_2019
https://www.planadviserdigital.com/planadviser/september_october_2019
https://www.planadviserdigital.com/planadviser/july_august_2019
https://www.planadviserdigital.com/planadviser/may_june_2019
https://www.planadviserdigital.com/planadviser/march_april_2019
https://www.planadviserdigital.com/planadviser/january_february_2019
https://www.planadviserdigital.com/planadviser/november_december_2018
https://www.planadviserdigital.com/planadviser/september_october_2018
https://www.planadviserdigital.com/planadviser/july_august_2018
https://www.planadviserdigital.com/planadviser/may_june_2018
https://www.planadviserdigital.com/planadviser/march_april_2018
https://www.planadviserdigital.com/planadviser/january_february_2018
https://www.planadviserdigital.com/planadviser/november_december_2017
https://www.planadviserdigital.com/planadviser/september_october_2017
https://www.planadviserdigital.com/planadviser/july_august_2017
https://www.nxtbookmedia.com