As sponsors of 401(k) and other retirement plans, employers typically rely on plan service providers (i.e. recordkeepers, trustees, etc.) to maintain plan accounts, keep participant accounts secure and participant data confidential. As fiduciaries, employers must act with the care and diligence under the circumstances as would a “prudent” person. Thus, it is imperative that employers retain retirement plan service providers that have strong cybersecurity practices. The Department of Labor (“DOL”) recently issued guidance to help employers meet their cybersecurity fiduciary responsibilities under ERISA.
In selecting a service provider, the DOL set forth the following inquiries an employer should make: 1) ask the service provider about its information security standards, practices, policies and audit results; 2) ask the service provider how it validates its practices and what levels of security standards it has met; 3) ask whether the service provider has had past security breaches and, if so, what corrective measures were taken; 4) ask the service provider about any insurance policies it has in place to cover any losses associated with cybersecurity and identity theft breaches; and 5) make sure the service provider has an ongoing program to maintain compliance with cybersecurity and information security standards. These same inquiries should be made with respect to any existing service providers.
Significantly, by providing this guidance for selecting service providers, the DOL is also setting forth what it believes is an employer’s expected fiduciary standard of care. Employers must be proactive to mitigate cybersecurity risk. In addition, employers should also take steps to inform plan participants on ways to keep their online information and accounts secure.