What does this mean for plan sponsors?

Plan sponsors may wish to review their own current cybersecurity practices, including reviewing their service-provider contracts, as well as initiating ongoing surveying of those same vendors, to ensure they are acting in accord with the practices that the DOL has identified.

Plan sponsors should consider this new guidance as they select and monitor the plan service providers that have access to sensitive, confidential plan-related data and information. This data includes personally identifiable information (PII), electronic protected health information (ePHI), or sensitive trust information (e.g., surrounding banking).

Plans should review their vendors’ practices to assure that trustees are meeting these new fiduciary best practices. Trustees may find it necessary to retain a cybersecurity expert who is also knowledgeable about ERISA trusts and plans to audit vendors’ practices.

Finally, plan sponsors should review existing insurance policies and determine whether cybersecurity insurance changes would be appropriate.

Below are three steps plan sponsors should consider taking to ensure their cybersecurity efforts are aligned with the DOL’s recommendations.

Create an information security governance committee

The first suggestion is to create a formal or informal information security governance committee. This committee will help ensure clarity and consistency in practices within the areas of responsibility for cybersecurity among the plan’s administrative function (i.e., the fund office or third-party administrator), non-administrative third parties, vendors and trading partners who all access and store sensitive or confidential plan-related data and information.

If formally empaneled as part of the board of trustees, the committee could be a subset of plan trustees and legal counsel (often with input from other professionals knowledgeable in both cybersecurity and ERISA trust administration and operations). An informal committee may be more typically comprised of the plan administrator, legal counsel and other professionals.

One of the most common mistakes organizations make is that they build their committees and then launch into their first meeting without any type of charter (defining the general responsibilities of the committee). Without defined inputs and outputs, a committee does not have the information it needs to execute effectively on its responsibilities and, consequently, is unable to meet its stated goals.

What are the committee’s potential responsibilities and duties?

An information security governance committee’s core responsibility should be to provide strategic cybersecurity governance and oversight of the fund office or TPA that administers the plan, as well as the multiple and varied vendors, third parties and recordkeepers that are performing services on behalf of the plan.

Some high-level areas the committee should focus on include:

• Providing oversight and ensuring alignment between the information security requirements of the plan, its participants and the fund office or TPA, as well as the vendors/trading partners servicing both the plan and its participants
• Assessing the adequacy of resources to sustain and advance successful security programs and practices for identifying, assessing data security policies and mitigating information security risks across all vendors/trading partners
• Checking vendor/trading partner controls to prevent, detect and respond to cyberattacks or data breaches involving plan and participant electronic information, intellectual property and other sensitive data
• Reviewing vendor and trading partner cyber insurance policies, as well as the plan’s own policy, to ensure appropriate coverage

The committee should consider the potential for external and internal threats and threats arising from transactions with their own trusted third parties and other vendors (e.g., vendors that serve the plan’s vendors.) The committee should also review privacy and information security policies and standards and the ramifications of any updates to policies and standards. The committee will need to define which vendors it will survey and what metrics it will monitor, and how often this will occur (it should not be a “one-and-done” exercise; it should be viewed as an ongoing commitment of the plan).

Survey vendors and trading partners

In keeping with the spirit of the DOL guidance regarding plan sponsors’ fiduciary responsibilities, plan sponsors should survey their key vendors to ensure they are acting in accord with the best practices the DOL has identified. Potential vendors to survey and monitor can include recordkeepers of PII, ePHI and/or other sensitive and confidential data and information related to the plan (e.g., financial information).

What are the committee’s purposes and responsibilities? These can include governing the use of health, pension and financial data, by third parties, recordkeepers and vendors. For each domain, identify which vendors and associated metrics to survey and monitor. This will help determine the relative importance of the vendors to participants or all stakeholders.

Ranking vendors’ potential risk to the organization will help determine how often to survey them on an ongoing basis.

Sample topic areas about which to survey vendors, include, but are not limited to:

• Their security policies and procedures
• The security architecture and strategy
• If they have any security certifications (e.g., ISO 27001 or PCI)
• Their security tools, technologies and techniques in place
• Their security training and governance

The committee should assess vendors’ survey responses for how complete and current they are and consider how well they align with industry standards and how well they are communicated.

Monitor vendors

There are many possible ongoing metrics to monitor. The following chart lists just a few of the many potential high-level data and information categories the committee could include in its vendor monitoring.

If the committee recommends replacing a vendor, it can refer to the DOL’s tips for hiring one that has strong cybersecurity practices.

Following these steps will mitigate risk and help you fulfill your fiduciary obligations

Whether you create a formal or informal committee, having one is a practical approach to helping mitigate your organization’s cybersecurity risk. It will also help you fulfill your obligations as a fiduciary.