DOL guidance welcomed but some want it to go further

The Department of Labor's Employee Benefits Security Administration, in issuing its first cybersecurity guidance, made clear a point that was only previously assumed: that under the Employee Retirement Income Security Act, making reasonable efforts to mitigate cyberthreats are part of a retirement plan fiduciary's responsibilities.

And while initial impressions of the guidance were positive, some stakeholders would like to see more, including a formal rule-making process with the opportunity to provide comments.

After months of back and forth with stakeholders and a report from the Government Accountability Office with tailored cybersecurity recommendations, the Labor Department on April 14 unveiled a three-piece guidance package detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants.

Plan sponsors welcome the guidance — which offers tips as opposed to orders — especially because the Labor Department has been asking plans under audit about their cybersecurity procedures, said Will Hansen, Arlington, Va.-based executive director of the Plan Sponsor Council of America and chief government affairs officer at the American Retirement Association. The guidance provides "more insight into what the Department of Labor thinks are best practices for plan sponsors to engage in analyzing their record keepers and service providers on what are the best cybersecurity practices," Mr. Hansen said.

The first piece of guidance included tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor their activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.

The second piece of guidance was a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

The final piece was a set of online security tips for participants and beneficiaries when accessing a retirement account.

Without sufficient protections, retirement plan participants and assets may be at risk from both internal and external cybersecurity threats, the Labor Department said in a news release. "This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats," said Ali Khawar, acting assistant secretary for EBSA, in the news release.

Most record keepers should be comfortable with the Labor Department's guidance because it aligns closely with the SPARK Institute's standards, said Tim Rouse, Simsbury, Conn.-based executive director at SPARK, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms.

SPARK formed the Data Security Oversight Board, composed of industry stakeholders, that published a set of cybersecurity best practice standards in 2017.

Both the Labor Department guidance and the SPARK standards are built on two key principals to better assist the plan sponsor in fulfilling its cybersecurity fiduciary duty, Mr. Rouse said: the consumer should be provided standard cybersecurity information that can be used to compare service providers and basic cybersecurity information should be provided by trusted independent third-party auditors to ensure the integrity of all the data.

One thing Mr. Rouse would like the Labor Department to make clear to plan sponsors, though, is that the sharing of a penetration test — done to find vulnerabilities in a defense system — is unacceptable since it could contain a road map for bad actors. Instead, plan sponsors should be able to ask for and receive information on penetration tests, including how often they're performed and by whom, and what the remediation policy is for fixing identified issues.

Also, plan sponsors should be clear what they mean by "breach" when contracting with service providers, Mr. Rouse said. Because of bots and automatic web requests, every system in the world is constantly experiencing some level of breach, he added.

"Most never arise to a level of severity that becomes meaningful to a consumer," Mr. Rouse said. "Properly identifying the right level of severity acceptable to each plan sponsor is critical for this process to work effectively."

The best practices outlined in the Labor Department's guidance are commonplace among record keepers, said Doug Peterson, Greenwood Village, Colo.-based chief information security officer for Empower Retirement and chairman of SPARK's Data Security Oversight Board. "There are certain table stakes when you've got people's identities, you've got their retirement dollars, you absolutely have an obligation to protect that," he said.

Elizabeth S. Goldberg and Matthew H. Hawes, Pittsburgh-based partners with law firm Morgan, Lewis & Bockius LLP, were pleased the Labor Department issued guidance on this subject before initiating cybersecurity-targeted audits, but took issue with the retirement industry not getting an opportunity to comment before the guidance was released.

Although guidance can be helpful in gaining insight into how the Department of Labor views a particular issue, a formal rule-making process — where comment periods are required — are "afforded greater weight" from a legal perspective, Mr. Hawes said.

"I certainly would expect that depending on how this is received and what happens as a result of this guidance over the next couple of months, couple of years, that the Department of Labor may wade more formally into this area and memorialize some of this in formal regulations," Mr. Hawes added.

Mr. Peterson would like to see a formal regulation. "Hopefully that's in the future at some point," he said.

But with the guidance now on the books, "We are expecting as a next step by the DOL for there to be some investigations in this area," Ms. Goldberg said.

Mr. Hansen is happy the guidance came before investigations. "Plan sponsors have been audited for years by the Department of Labor on missing participants with zero guidance, so I think the fact that they are being proactive on cybersecurity is a great first step," he said. The Labor Department in January issued a list of best practices for locating missing participants following years of investigations.

At the beginning of the COVID-19 pandemic, with tens of millions of Americans suddenly working from home, cybersecurity experts feared bad actors would have more opportunities to infiltrate individual retirement accounts.

But, Ben Taylor, Los Angeles-based senior vice president and head of tax-exempt DC research at Callan LLC, said that didn't end up happening. "I think a lot of the bad actors' attention have turned elsewhere with the same information because it's been a lot easier to get it from unemployment claims or pandemic stimulus than it has been to get it from a retirement plan," he said.

Still though, cyberthreats have evolved in recent years. "The attacks certainly are far more sophisticated than they were just five years ago," Mr. Peterson said. "We're seeing an increase in advanced persistent threats."

Mr. Rouse has noticed a similar evolution: "No longer is it just one individual who's just sitting there trying to get into your system; now what's been done is it's automated to the point where it's literally millions of bots attacking firewalls all over the world," he said. "It's a constant battle. You can never take a rest because the bad guys are never taking a rest."

Never taking a rest means ramping up cyberdefenses, which has become a common practice for record keepers. "The persistent actors have gotten consistently more sophisticated in their ability to go after just about any target, but at the same time the defense has grown more sophisticated at probably a more rapid rate," Mr. Taylor said.