木瓜影院

Article

DOL urged to give retirement plans cybersecurity guidance

This article was first published by Mercer .

Citing reports of cybersecurity breaches and stolen funds from retirement accounts, a recent Government Accountability Office (GAO) report urges the Department of Labor (DOL) to issue guidance to help defined contribution (DC) plans guard against these threats. In the report to leaders of House and Senate committees that oversee ERISA, GAO recommends DOL formally state that plan fiduciaries are legally responsible for mitigating cybersecurity risks. GAO also calls on DOL to issue cybersecurity guidance detailing specific steps for plans to protect participant accounts and personally identifiable information (PII).

Guidance coming

DOL officials told GAO that they believe cybersecurity is a serious problem for retirement plans, and the department plans to post subregulatory compliance assistance materials addressing related issues for plan sponsors and administrators. But the timing of DOL鈥檚 coming cybersecurity guidance is uncertain. GAO鈥檚 report did not recommend legislation, but lawmakers will likely assess the need for action after reviewing the DOL guidance.

Regarding cybersecurity as a fiduciary responsibility under ERISA, DOL officials suggested that this is already implicitly required under ERISA鈥檚 broad fiduciary standards and existing electronic notice and disclosure rules. DOL believes that ERISA鈥檚 fiduciary obligations require managing cybersecurity risks to retirement plan assets and PII. For example, retirement plan sponsors should ask questions about cybersecurity measures when retaining service providers and periodically monitor the provider鈥檚 compliance with those procedures.

Prior calls for guidance.听Cybersecurity issues are not new to DOL, which has conducted investigations and prosecutions related to cybersecurity incidents over the years. In addition, DOL鈥檚 ERISA Advisory Council has recommended 鈥 most recently in听听鈥 guidance on how sponsors should evaluate and manage cybersecurity risks to plan data and participants鈥 personal information 鈥 especially risks involving third-party relationships for plan administration.

Patchwork of rules

The GAO report notes that even though the retirement industry has a broad array of tools and information to help sponsors address cyber risks, these standards are generally voluntary. Federal law imposes some protections, but they generally apply only to certain service providers, leaving out听others that work with sensitive information. For example, financial institutions are subject to federal legislative and regulatory requirements to safeguard the privacy of consumer data, but those rules may not apply to plan sponsors that aren鈥檛 financial institutions or to plan service providers that handle only administrative functions.

鈥淎s a result, plan fiduciaries and their service providers rely on a patchwork of federal regulations, guidance, and industry leading practices to 鈥 mitigate cybersecurity risk in DC plans,鈥 lawmakers said听in response to the GAO report. 鈥淯ntil DOL formally clarifies plan fiduciaries鈥 responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent, and plans and their participants will continue to be vulnerable to financial losses and PII breaches.鈥

Liability for breaches unclear

According to the report, a major source of vulnerability comes from the data that plan sponsors and administrators share electronically, including participants鈥 Social Security numbers, addresses and birth dates. In some cases, the report noted, individuals employed by the plan sponsor made unauthorized withdrawals from participants鈥 accounts.

Attorneys cited in the report said that who bears the risk for losses from these security breaches is sometimes ill-defined and left to the courts to sort out. Although ERISA fiduciaries can be held personally liable for breaches, DOL officials noted that fiduciaries might not be able to cover the losses due to the large amount of money at risk in retirement accounts. Cyber insurance may enable plan sponsors and service providers to recover some costs caused by an attack. But those policies often have caps on payouts, exclude certain types of attacks or don鈥檛 cover funds stolen from participants鈥 accounts.

DOL urged to give retirement plans cybersecurity guidance


DOWNLOAD PDF