How DOL's Cybersecurity Guidance Impacts Retirement and Health/Welfare Plans
In April 2021, the Department of Labor issued cybersecurity guidance to plan fiduciaries and participants in the form of three separate documents: Tips for Hiring Service Providers with Strong Cybersecurity Practices; Cybersecurity Program Best Practices; and Online Security Tips. Significantly, it appears that this guidance applies to both retirement and health/welfare plans and seemingly represents an additional layer of compliance above HIPAA.
The first two documents included what amounted to checklists of provisions that plan sponsors should look for in their contracts with service providers such as third-party administrators (TPAs), trustees, custodians, investment managers and the like. The third document was directed more toward individuals and included typical suggestions like frequent changing of passwords and not sharing login information with others.
Ways DOL Guidance is Being Applied in Practice
Over the past few months, we spoke to several service providers on behalf of our clients and received the consistent message of "We're working on complying with the new guidance." In fact, in the case of retirement plan recordkeepers, we understand that they are working with their trade groups to determine whether certain of the DOL's recommendations are feasible and at what cost. At the same time, we understand they are examining their systems to determine what improvements to security can be made and over what time frames.
Unlike most times, however, the DOL did not formally solicit comments from the legal, TPA, trustee, custodian or investment manager communities before issuing this guidance. Even when DOL takes that approach, it typically uses a "white paper" approach where it makes its proposal and asks for comments. After reviewing feedback, the DOL often revises or supplements its original guidance.
This time that did not happen, and, importantly, we understand from several resources that the DOL is asking about cybersecurity on its routine reviews and audits. That is, the DOL did not provide a delayed effective date but considers this guidance enforceable now.
How Fiduciaries Can Prepare Now
While this rapid progression is concerning, we believe that prudent fiduciaries should consider the following steps:
- Contact each of your providers and ask where they are in evaluating and implementing DOL Cybersecurity Guidance and get firm commitments for when to expect to see documentation.
- Ask those providers whether they have already determined that they will comply or won't comply with any specific aspects of the guidance.
- Review contracts with providers to determine what cybersecurity protection currently exists and consider whether there are specific shortfalls that can be addressed before hearing from providers.
- Track the communications and incorporate the status of each provider into regular meetings and minutes of plan administrator committee meetings.
Note that the DOL cybersecurity guidance is very high-level and does not include a lot of detail. That can make it difficult to determine what, exactly, a plan sponsor and a vendor must do. For example, HIPAA provides a special rule for “enrollment information”. That phrase is defined to mean rather basic information about who is in a health plan – e.g., the names of the covered individuals and the cost of the health plan option they selected. It does not include detailed claim information. Under HIPAA, enrollment information generally need not be considered “protected health information” (“PHI”). So, if there is a breach of enrollment information, it need not be reported. And enrollment information need not be subject to HIPAA’s strict and detailed Security Rules. This is good from a plan sponsor perspective.
Does the DOL cybersecurity guidance contain a similar concept for “basic” information such as whether a particular employee (e.g., “Joe Smith”) participates in the employer’s retirement plan? It’s not clear. The DOL cybersecurity guidance mentions many things which must be protected (including “participant data”; “private information”; “confidential information”; “personal information”; “nonpublic information”; “information”; “sensitive information”; and “data”). None of those terms are defined. Perhaps some of them – e.g., “sensitive information”, which implies that some plan-related information may not be “sensitive” – could allow a plan sponsor to argue that the new DOL cybersecurity guidance does not apply to that particular set of information. Further DOL guidance would be welcome.
We understand these uncertainties may cause a level of angst for plan administrators and would be happy to discuss how best to execute on these steps, both to satisfy your fiduciary responsibilities and to be well prepared in the event of a DOL examination.
Please contact your local Quarles & Brady attorney or: