In April of 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued new cybersecurity guidelines. These guidelines are targeted specifically at the fiduciaries and record-keepers of employee retirement plans. The DOL created these new best practices to help protect the “millions of dollars or more in assets and maintain personal data on participants.”
In this article, we’re going to review the specific terms of the Department of Labor’s cybersecurity initiative and discuss the impact that it may have on the legal industry.
Let’s get started!
What is the DOL’s cybersecurity initiative?
Nearly five years ago, the ERISA Advisory Council expressed concerns to the federal Department of Labor regarding the cybersecurity practices for benefit plans. The recent guidelines aim to address some of those concerns. Furthermore, they seek to clarify the fiduciaries’ obligation to mitigate plan exposure to cybersecurity events.
The DOL stated that plan sponsors will need to produce:
“all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan.”
What does the cybersecurity initiative include?
While the requested documentation may seem overly broad, the DOL also offered specific examples of the kinds of information they’re seeking. The list includes all policies and procedures related to:
- The implementation of access controls and identity management, including any use of multi-factor authentication
- The processes for business continuity, disaster recovery, and incident response.
- Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
- Cybersecurity awareness training.
- Encryption to protect all sensitive information transmitted, stored, or in transit.
Ultimately, the goal of the DOL is not to create a new regulatory hurdle, but rather to see how plan fiduciaries are communicating with their service providers to assess cybersecurity risk. The agency is also concerned with the terms under which service providers are permitted to use plan data.
How does the cybersecurity initiative impact attorneys?
The DOL’s cybersecurity initiatives will have the largest impact on corporate counsel for third-party plan providers and counsel for plan fiduciaries/sponsors. To provide adequate representation for these clients, lawyers should ensure that plan fiduciaries have taken reasonable steps to protect plan data. There are no cybersecurity tools guaranteed to prevent all data breaches, however, it’s critical to evaluate a service provider’s information security standards, practices, and audit results, so that they can be compared to the industry standards adopted by other financial institutions.
Thanks for reading! We hope we’ve been able to cover the basics of the DOL cybersecurity initiative and explain how this new guidance is expected to impact the legal industry. If you enjoyed this article, let us know on social media!
Please don’t hesitate to contact us with any questions or concerns. At First Legal, we’re here for you from File Thru Trial™!