The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers, a key official said Oct. 28.
Addressing SPARK’s Cybersecurity Virtual Event, Tim Hauser, Deputy Assistant Secretary for National Office Operations at DOL's Employee Benefts Security Administration (EBSA), also indicated that he expects to see more focus in the department’s investigations on the adequacy of various cybersecurity programs, especially for large plans in terms of making sure the providers they hire are observing good cybersecurity practices.
“When a plan fiduciary is hiring somebody who is going to be responsible for confidential, personal information, or who’s going to be running systems to keep track of people’s account balances and the like, there’s a responsibility to make sure that you’ve hired that person prudently, that firm prudently,” Hauser noted. “And if you think about plans and the universe I described, that’s just shy of $11 trillion, and with personal health and pension data, there are a lot of tempting targets there and what we’ve seen in our own enforcement actions, especially in our criminal programs, vulnerabilities are taken advantage of.”
Hauser clarified during a Q&A session that the guidance would be informal, and not a formal notice and comment rulemaking.
Hauser further observed that people tend to think of cybersecurity as sophisticated crimes, but often it’s much simpler by people taking advantage of vulnerable systems. Such examples, he noted, include a 401(k)-plan trustee who used participant account information to transfer distributions to their own accounts or a third-party administrator who used personally identifiable information to submit fraudulent distribution claims. In these instances, those IT security systems proved to be vulnerable to bad actors, both internally and externally, he noted.
Offering a preview of the forthcoming guidance, as well as the questions you’ll likely get from DOL investigators if you get a knock on the door, Hauser divided the segments between a plan sponsor as the fiduciary hiring a TPA, and the service provider themself.
Plan Sponsor Considerations
“If you’re entrusting sensitive personal account data and financial transaction authority to a third party, you need to think about IT security and what kind of security you can expect that entity to employ,” Hauser emphasized.
He noted that, at a minimum, the DOL would expect there to be a fair amount of questions asked when hiring a TPA. Such questions, especially for larger plans to be asking, are what sort of practices and policies does the service provider have to ensure their systems are secure. In addition, do they have regular third-party audits by an independent entity. Additional questions he suggests asking include:
- How do they go about validating the cybersecurity of the systems?
- What sort of track record do they have, and do they have prior incidents?
- Are they willing to talk to you about those prior incidents and what have they done to respond to them?
- To what extent do they stand behind the security of their systems and are they prepared to commit to make you whole in the event there is a vulnerability that causes trouble?
- Do they have insurance policies to make you whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?
For recordkeepers or the entity running the system, Hauser noted that the DOL’s No. 1 concern is whether the firm is meeting current standards and addressing vulnerabilities, particularly as they change and evolve. “If we were in looking at a recordkeeper or a TPA for cybersecurity, we’d want to see that there’s a formal well-documented cybersecurity program, that there are procedures, guidelines and standards in place, that they’re regularly updated and that they’re actually implemented,” he explained.
The DOL also would want to see regular risk assessments at least annually, but more frequently if necessary. They’d also like to see a reliable third-party audit of the entity’s cybersecurity practices and an associated unbiased assessment of what the risks vulnerabilities and weaknesses are, he noted.
“And I think it’s probably important in the plan world that there is some care to match the records as they exist at the recordkeeper with the records as they exist at the plan. A regular kind of cross-checking I think would have avoided some of the problems we’ve seen in some of our investigations,” Hauser observed.
The DOL also wants to see how responsive responsible parties were to cybersecurity incidents, he noted. If a vulnerability has been identified and somebody got access to confidential information they shouldn’t have, “we’d expect to have seen a response, including notifying law enforcement, the FBI, the plan and their participants,” he explained. “We can argue forever about what the right standards are for a particular cybersecurity practice, but for a court and a judge, if they see that you have this exact problem, and then you did nothing and it happened again, you’re probably in trouble at that point.”
“I don't think any of these things are probably news to any of the IT people, but I think, nevertheless, putting out some tips along these lines may be helpful to the industry cause everyone has a common goal here in making sure that people get the benefits they’re promised,” he concluded.