PLANADVISER - September/October 2021 - 38

ERISA vista
Fred Reish and Joan Neri
Cybersecurity Considerations
How to select and monitor recordkeepers
QUESTION: I am a registered investment adviser [RIA] that
assists 401(k) plan committees in selecting and monitoring
recordkeepers. I also help committees with searches for new
recordkeepers. I understand that the Department of Labor
[DOL] recently issued guidance about fiduciaries' responsibilities
regarding service provider cybersecurity practices.
What do I need to know in order to assist the committees?
ANSWER: The DOL cybersecurity guidance includes tips for
hiring and monitoring plan service providers. While these
tips are not mandates, they provide insight into the department's
views on what constitutes a prudent process for
cybersecurity practices. As adviser to the committee, you
could use these tips as a basis for guiding the committee's
evaluation of how a recordkeeper handles cybersecurity.
The DOL's guidance " Tips for Hiring a Service Provider
With Strong Cybersecurity Practices " identifies a number
of factors regarding cybersecurity that a committee should
consider to prudently select and monitor the recordkeeper
for its plan. These factors fall into three main categories: 1)
information about the recordkeeper's standards, practices
and policies; 2) information about the recordkeeper's track
record, including the way it handled any past security incidents
and breaches; and 3) suggested provisions to include in
the service agreement.
Standards, Practices and Policies
The DOL makes it clear that a plan fiduciary should learn
about the recordkeeper's information security standards,
the manner in which those are validated and how they
compare to industry standards. For example, the DOL
points out that a plan fiduciary should determine whether
the recordkeeper conducts annual third-party audits to
review and validate its cybersecurity systems and practices
and, if so, make sure that the obligation is included in the
service contract. Reviewing the audit report, or a summary
of the auditor's findings, would also be helpful; however,
the recordkeeper may be reluctant to provide that. In this
case, the committee should obtain confirmation that it has
cured any deficiencies identified in the audit report. DOL
investigations of Employee Retirement Income Security Act
(ERISA) plans include a request for information (RFI) about
third-party audits of service provider information technology
(IT) systems, such as Service Organization Control
SOC 1 or SOC 2 reports.
Track Record
The DOL indicates that an evaluation of the recordkeeper's
track record regarding security incidents and breaches is an
important part of the prudent process. This includes review of
public information about any security incidents and related
legal proceedings as well as the recordkeeper's response to
any past security breaches. To assess its responsiveness to a
past incident or breach, you may want to review these factors
with the committee: whether the recordkeeper acted quickly
to address the breach, how it was addressed, the timeliness
of communications about the breach, whether losses were
restored and steps taken to prevent a reoccurrence.
A committee should obtain confirmation from the recordkeeper
that it's in a financial position to cover losses resulting
from cyber liability and privacy breach and should consider
asking for that representation in the service contract. As
explained in the guidance, one way to cover such losses is
through insurance. If the recordkeeper has a policy in place
to cover losses from cyber liability and privacy breach, then
consider helping your committees understand the coverage.
Contractual Provisions
There are other provisions the DOL suggests an agreement
with a recordkeeper contain, including those relating to:
* Confidentiality. The contract should include an obligation
to protect private information, prevent its use or disclosure
without written permission and protect it against unauthorized
access, disclosure or misuse.
* Response to cybersecurity breaches. The contract
should have a provision about how quickly the recordkeeper
will provide notice of a cyber incident or data breach and
should require the recordkeeper to cooperate in investigating
and reasonably addressing the breach's cause.
* Compliance with privacy and security laws. The
contract should require that the recordkeeper satisfy all
applicable federal, state and local privacy, confidentiality
and security laws pertaining to protection of participants'
personal information.
The guidance is about best practices but may turn out to
be more than that. The DOL uses these tips in questions it
asks in its plan investigations.
Fred Reish is chairman of the financial services ERISA practice at
law firm Faegre Drinker Biddle & Reath LLP. Joan Neri, a nationally
recognized expert in employee benefits law, is counsel in the firm's
financial services ERISA practice.
38 | planadviser.com September-October 2021 Art by Tim Bower
http://www.planadviser.com

PLANADVISER - September/October 2021

Table of Contents for the Digital Edition of PLANADVISER - September/October 2021

Masterminds of the Plan
"PLANADVISER’s 2021 Top 100 Retirement Plan Advisers"
How to Optimize Connections
Defining Roles
Building Strategic Partnerships
Different Strokes
Cybersecurity Considerations
Provider Recommendations
PLANADVISER - September/October 2021 - Cover1
PLANADVISER - September/October 2021 - Cover2
PLANADVISER - September/October 2021 - 1
PLANADVISER - September/October 2021 - 2
PLANADVISER - September/October 2021 - 3
PLANADVISER - September/October 2021 - 4
PLANADVISER - September/October 2021 - 5
PLANADVISER - September/October 2021 - 6
PLANADVISER - September/October 2021 - 7
PLANADVISER - September/October 2021 - 8
PLANADVISER - September/October 2021 - 9
PLANADVISER - September/October 2021 - 10
PLANADVISER - September/October 2021 - 11
PLANADVISER - September/October 2021 - 12
PLANADVISER - September/October 2021 - 13
PLANADVISER - September/October 2021 - 14
PLANADVISER - September/October 2021 - 15
PLANADVISER - September/October 2021 - 16
PLANADVISER - September/October 2021 - 17
PLANADVISER - September/October 2021 - Masterminds of the Plan
PLANADVISER - September/October 2021 - 19
PLANADVISER - September/October 2021 - 20
PLANADVISER - September/October 2021 - 21
PLANADVISER - September/October 2021 - "PLANADVISER’s 2021 Top 100 Retirement Plan Advisers"
PLANADVISER - September/October 2021 - 23
PLANADVISER - September/October 2021 - 24
PLANADVISER - September/October 2021 - 25
PLANADVISER - September/October 2021 - 26
PLANADVISER - September/October 2021 - 27
PLANADVISER - September/October 2021 - How to Optimize Connections
PLANADVISER - September/October 2021 - 29
PLANADVISER - September/October 2021 - 30
PLANADVISER - September/October 2021 - 31
PLANADVISER - September/October 2021 - Defining Roles
PLANADVISER - September/October 2021 - 33
PLANADVISER - September/October 2021 - Building Strategic Partnerships
PLANADVISER - September/October 2021 - 35
PLANADVISER - September/October 2021 - Different Strokes
PLANADVISER - September/October 2021 - 37
PLANADVISER - September/October 2021 - Cybersecurity Considerations
PLANADVISER - September/October 2021 - Provider Recommendations
PLANADVISER - September/October 2021 - 40
PLANADVISER - September/October 2021 - Cover3
PLANADVISER - September/October 2021 - Cover4
https://www.planadviserdigital.com/planadviser/winter_2023
https://www.planadviserdigital.com/planadviser/fall_2023
https://www.planadviserdigital.com/planadviser/summer_2023
https://www.planadviserdigital.com/planadviser/industryleader_2023
https://www.planadviserdigital.com/planadviser/spring_2023
https://www.planadviserdigital.com/planadviser/november_december_2022
https://www.planadviserdigital.com/planadviser/september_october_2022
https://www.planadviserdigital.com/planadviser/july_august_2022
https://www.planadviserdigital.com/planadviser/may_june_2022
https://www.planadviserdigital.com/planadviser/industry_leader_awards_2022
https://www.planadviserdigital.com/planadviser/march_april_2022
https://www.planadviserdigital.com/planadviser/january_february_2022
https://www.planadviserdigital.com/planadviser/november_december_2021
https://www.planadviserdigital.com/planadviser/september_october_2021
https://www.planadviserdigital.com/planadviser/july_august_2021
https://www.planadviserdigital.com/planadviser/may_june_2021
https://www.planadviserdigital.com/planadviser/march_april_2021
https://www.planadviserdigital.com/planadviser/january_february_2021
https://www.planadviserdigital.com/planadviser/november_december_2020
https://www.planadviserdigital.com/planadviser/september_october_2020
https://www.planadviserdigital.com/planadviser/july_august_2020
https://www.planadviserdigital.com/planadviser/may_june_2020
https://www.planadviserdigital.com/planadviser/march_april_2020
https://www.planadviserdigital.com/planadviser/january_february_2020
https://www.planadviserdigital.com/planadviser/november_december_2019
https://www.planadviserdigital.com/planadviser/september_october_2019
https://www.planadviserdigital.com/planadviser/july_august_2019
https://www.planadviserdigital.com/planadviser/may_june_2019
https://www.planadviserdigital.com/planadviser/march_april_2019
https://www.planadviserdigital.com/planadviser/january_february_2019
https://www.planadviserdigital.com/planadviser/november_december_2018
https://www.planadviserdigital.com/planadviser/september_october_2018
https://www.planadviserdigital.com/planadviser/july_august_2018
https://www.planadviserdigital.com/planadviser/may_june_2018
https://www.planadviserdigital.com/planadviser/march_april_2018
https://www.planadviserdigital.com/planadviser/january_february_2018
https://www.planadviserdigital.com/planadviser/november_december_2017
https://www.planadviserdigital.com/planadviser/september_october_2017
https://www.planadviserdigital.com/planadviser/july_august_2017
https://www.nxtbookmedia.com