In this fourth episode of Ropes & Gray’s podcast series addressing emerging issues for fiduciaries of 401(k) and 403(b) retirement plans to consider as part of their litigation risk management strategy, ERISA & benefits partner Josh Lichtenstein speaks with Ed McNicholas, co-chair of the data, privacy & cybersecurity practice, and David Kirchner, a principal in the benefits consulting group, about the U.S. Department of Labor’s new cybersecurity guidance, which identifies steps that plan sponsors, service providers and participants should take for safeguarding retirement benefits and personal information. Listen to the podcast.
Josh Lichtenstein: Hello, and thank you for joining us today for the latest Ropes & Gray podcast. I’m Josh Lichtenstein, an ERISA partner based in our New York office. I’m here today with Ed McNicholas, co-chair of the data, privacy & cybersecurity practice, who is based in Washington, D.C., and David Kirchner, a principal in our benefits consulting group, who is based in Boston. In the second episode of this series on emerging issues in 401(k) and 403(b) plan litigation risk assessment and management, we discussed the cybersecurity protocols of retirement plans, including that the U.S. Department of Labor (or DOL) was working on a guidance package to address certain cybersecurity and data privacy issues for benefit plans. Last month, the DOL finally unveiled this anticipated guidance—the first of its kind for the Department—with releases focusing on three main areas:
- online security tips for plan participants and beneficiaries;
- tips for plan sponsors and fiduciaries for prudently selecting service providers with strong cybersecurity practices; and finally
- best practices for plan fiduciaries and recordkeepers for managing cybersecurity risks.
For today’s discussion, we are going to focus primarily on the last two pieces of guidance, but before we do that, David, would you mind giving a brief summary of the DOL’s online security tips for plan participants and beneficiaries?
David Kirchner: Thanks, Josh. It’s nice to be joining you again for another episode of this podcast series. In short, these online tips for plan participants and beneficiaries are basic, precautionary steps that people should be following in any aspect of their lives where their personal identifiable information (or PII) is being transmitted. For instance, plan participants should be using strong passwords that are unique to their investment accounts and those passwords should be changed regularly—the tip sheet suggests every 120 days. They should be wary of free public Wi-Fi networks, they should enable multi-factor authentication to verify their identities before accessing retirement accounts, and they should ensure that all of their contact information is accurate and current. In reality, for most participants, their plan balances represent a very significant portion of their life savings so these are the same safeguards that participants and beneficiaries should follow when accessing their bank account, brokerage or credit card accounts online, and doing so can make a big difference in keeping retirement account PII and, even more importantly, the retirement assets themselves safe.
Now, to take it a step further, I want to address this from the plan sponsor’s perspective. I believe plan sponsors will want to ensure that some of these security features are available to participants, and confirming that these features are available should be part of their ongoing evaluation process of recordkeepers and other service providers to plans. For example, plan sponsors should confirm that multi-factor authentication is a default security feature with their current recordkeeper and inquire about how often a participant is required to change their password, and whether the password requirements for participants are robust.
Josh Lichtenstein: That’s a great point, David. The plan sponsor really does need to be making sure that the recordkeeper has sufficient security features in place for the participants and that there’s documentation of their inquiries and vendor responses, because if they aren’t ensuring the features are available, participants obviously can’t take advantage of them. Ed, can you speak about some of the real world consequences that plan sponsors and other service providers have faced because they had insufficient security features in place?
Ed McNicholas: Of course, and thank you for asking me to join with you today. As you and David covered in your previous episode, when there are vulnerabilities in the plan sponsor or service provider’s security apparatus, bad things may occur and litigation may ensue. You can certainly contract away the work of running a plan, but you cannot contract away the obligation of ensuring that this sensitive personal data is handled appropriately.
Abbott Labs and Estee Lauder are two recent examples of this challenge. In both cases, the companies and their recordkeeper, which happens to be Alight Solutions, were sued for fraudulent distributions of plan account balances without participant authorization. While Abbott Labs was able to get the plaintiff’s lawsuits dismissed, the litigation remains ongoing for Alight. For Estee Lauder, it eventually reached a settlement with the plaintiff. Nevertheless, both cases make clear that plan sponsors must ensure that their recordkeepers and any other service providers that they work with who handle participants’ PII have robust security protocols in place to prevent these unfortunate and potentially costly scenarios from happening.
We need to be realistic that data breaches will happen despite reasonable precautions, and so sponsors and recordkeepers should have an organized plan to respond to any incident—and they should practice this plan by using mock “tabletop” exercises. It is also worth mentioning that every U.S. state has a data breach notification law that is triggered by a breach involving certain personal information in some circumstances. There is certainly no such thing as perfect security or a risk-free vendor engagement, but relying upon a service provider with a track record of poor security practices can make a breach more likely or more damaging. Plan sponsors can incur significant costs in the investigation, mitigation and remediation of a breach even in the absence of litigation.
Josh Lichtenstein: Thank you for those insights, Ed. It’s a great point as it’s really a question of when not if breaches will occur, and so it’s important for plan sponsors to be realistic about having planned approaches when they occur. Let’s move on now to the DOL’s cybersecurity best practices for plan fiduciaries and recordkeepers. I suspect that many of our listeners are plan sponsors who are responsible for their employer’s retirement plans, so these best practices will be an important resource for them when vetting the plan’s current recordkeeper or hiring a new recordkeeper. David, would you mind providing an overview of the DOL’s guidance for plan fiduciaries and recordkeepers?
David Kirchner: Sure, Josh. The DOL outlined twelve best practices for recordkeepers, which really fall into what I see as three main categories. The first category encompasses the implementation of robust security measures. For example, plan sponsors should confirm that recordkeepers are encrypting sensitive data in storage, and while in transit, that they have an effective business resiliency program that addresses business continuity, disaster recovery, and incident response, and that they have strong access control procedures. Plan sponsors should also be asking how, if any, past cybersecurity incidents were responded to by the recordkeeper.
The second category is governance, which entails devising a written plan for these robust security measures and having a point person (or persons) within the organization to ensure the successful implementation of these measures. In other words, recordkeepers should have a formal, well-documented cybersecurity program in place. They should also have a team of internal employees assigned to oversee the cybersecurity program, with a senior-level executive in charge, like a director of information security or chief information security officer. It may also be helpful to know whether they have an employee specifically in charge of data privacy, such as a chief privacy officer or a member of the legal department with oversight responsibility for privacy.
The third category is the ongoing monitoring of cybersecurity programs. I believe that this might be the most important group of best practices. While it’s critical to confirm that the plan recordkeeper has a robust cybersecurity program in place and a governance structure to administer it, those things will only matter if they are kept up-to-date. The recordkeeper has to monitor its program and continually update it in response to the results of periodic risk assessments that are conducted. All recordkeepers should also ensure that they obtain a reliable annual third-party audit of their security controls, such as a SOC report—as Ed will describe shortly—that can be furnished to plan sponsors upon request.
And even though the DOL states these best practices are intended for recordkeepers, plan sponsors should vet these best practices across the plan’s entire web of service providers, and that includes custodians, auditors, actuaries, even the firms who execute trades through the plan’s brokerage window.
Josh Lichtenstein: Thank you for that helpful overview, David. Ed, building on what I mentioned earlier, I think that many of our listeners have more of an HR, benefits, legal or finance background, than a tech background, and as a result, some of the technical details and jargon in the DOL’s best practices may be new or unfamiliar to them. Would you mind providing some color on essentially what steps plan sponsors should be taking now to make sure they are able to effectively evaluate their recordkeepers and their other service providers’ cybersecurity programs in accordance with the DOL’s new guidance and guidelines?
Ed McNicholas: First and foremost, this whole area requires collaboration across disciplines. HR and benefits teams need to work with their internal privacy and information security colleagues. And the internal privacy and information security teams, even though they may be familiar with the DOL’s guidance on some conceptual level, may not actually understand the plan structure and the sponsor’s responsibilities as a fiduciary.
So in the big picture of cybersecurity, the DOL’s guidance is not particularly novel or innovative. Other regulatory bodies (for instance, banking, health, or insurance regulators) at the state and federal level have issued similar guidance and requirements over the years. The privacy and security teams should likely build off their prior compliance efforts in implementing the DOL’s best practices. It’s usually most effective to develop one company-level policy that governs the flow of personal data from the company to any third party, and that policy describes when a privacy or security review of a service provider is warranted and when certain types of security-related contractual terms are warranted in that particular provider’s agreement.
To start developing such a policy for a retirement plan, the HR and benefits team should share with the privacy and information security personnel an inventory of all the current service providers to the retirement plan, which includes the type of data they receive, what types of services they provide, and how participants access or interact with these particular service providers. In particular, the privacy team will focus on any sharing of plan participant information with third parties for analytics purposes. Along the lines David mentioned earlier, plan sponsors should consider the full range of internal and external actors who are coming in contact with participants’ data, such as payroll providers, HRIS employees, recordkeepers, and custodians.
Plan sponsors can risk-rate and prioritize review of service providers that hold the most plan assets, or have the most recent cybersecurity issues or litigation brought against them. To this end, I would recommend plans being extra vigilant when it comes to dealing with acquisitive recordkeepers that have scooped up some of the smaller players in the space. It’s not uncommon for acquiring recordkeepers to continue using the acquired business’s legacy systems, and the plan sponsor should make sure they understand the status of integration of these legacy systems and/or what steps the recordkeeper has taken to ensure the security of the current platform as a whole.
Now, once the plan sponsor develops a policy document for vetting recordkeepers and other third-party service providers, it’s important to continually revisit that policy and make updates as needed, often annually. Cybersecurity threats continually change and the plan sponsor’s policy should be updated in a timely manner.
Josh Lichtenstein: Those are some really great, practical suggestions, Ed. I think that they’re very clear and lots of them might not be obvious to our listeners at first blush, I think it’s really great to hear that these are things they should be considering. David, can you recommend some criteria that plan sponsors may want to use when they’re developing a policy to actually vet a prospective recordkeeper like Ed described, or in general, to vet their current recordkeeper or potentially hire another kind of service provider where cybersecurity would be a concern?
David Kirchner: Sure. At a minimum, plan sponsors should be requesting and reviewing a few different documents as they relate to their current recordkeeper, including the recordkeeper’s security standards, practices and policies, a SOC-2 audit results, and any applicable cybersecurity insurance policies that the recordkeeper provides or has purchased.
Periodically, no different than with the fee benchmarking that plan sponsors should already be performing, plan sponsors should also be going out to the market to check what other recordkeepers’ security standards and policies look like. That can be benchmarked in a periodic RFP process where the plan sponsor is benchmarking all aspects of the vendor’s fees and other services. During an RFP process or just with the plan’s current recordkeeper, plan sponsors should inquire about the recent litigation or cybersecurity breaches that they may have, what third parties handle any participant data, and the compliance with records retention and destruction laws. Like Ed mentioned, I would recommend reviewing the recordkeeper’s response to these inquiries with a privacy and information security specialist and having a documented discussion about this at a benefit committee or investment committee for the plan.
Plan sponsors should also be reviewing their current contract with their recordkeeper for provisions that allow the plan sponsor to conduct an independent audit by a third-party security consultant, whether additional cybersecurity guarantees are included in the contract, and whether the recordkeeper is allowed to share participant data with third parties or use participant data to offer or sell other services to participants that are unrelated to the retirement plan, and we’ve talked about this before, I think, on other podcasts. This review should be done periodically and monitored. Undoubtedly, if there’s any litigation brought against the plan sponsor’s recordkeeper or the sponsor learns of any security breaches, the sponsor will want to prioritize the review of that recordkeeper or service provider.
Expanding on the insurance point, as per the DOL’s recommendation, plan sponsors should find out if the recordkeeper or service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as third party hijacking of a plan participant’s account.
Josh Lichtenstein: A lot of the procedures and processes you just described are very familiar to me as an ERISA lawyer. But I’ve got to say, I use a lot of ERISA jargon every day in my job, but some of these terms, like a SOC-2 audit, are completely new to me. Ed, could you explain what a SOC-2 audit is, and what information a plan sponsor can learn from it about a recordkeeper?
Ed McNicholas: Certainly. I’ll try to give you cybersecurity jargon 101 here. A SOC report is a Service Organization Control report. So at a high-level, a SOC-2 audit is a third-party review based on certain criteria relating to an organization’s controls for the confidentiality, availability and integrity of systems used to process data. Now, I should mention SOC-2 is not the only game in town. The National Institute of Standards and Technology (NIST) published a well-received cybersecurity framework, which was adapted for financial institutions by the Federal Financial Institutions Examination Council (or FFIEC). There is also an equivalent international standard under ISO 27001, which may be useful for companies with global operations. Now, all these standards are designed to be flexible in nature, so that they can be applied in a wide variety of contexts with variations in scope and objectives.
I should make a note about the SOC reports—there are a couple different kinds of SOC reports. There’s the SOC-1, which focuses on security controls at a particular point in time. A SOC-2 in contrast, focuses on controls over a period of time (say, six months). The audit report after a SOC will contain an assertion from management regarding their controls, followed by an opinion from the auditor among other details. One key point is that the SOC-2 is not a prescriptive or one-size-fits-all audit—there are variations that plan sponsors should be aware of when reviewing a SOC-2 report. With those variations and limitations in mind, the hope is to see a SOC-2 that is appropriately scoped for the plan sponsor’s purposes, and reflects an unqualified opinion from the auditor, meaning that the auditor’s findings are consistent with management’s assertion. Now, if there are gaps from a scoping standpoint, or if the report opinion is qualified, consider whether those gaps or qualifications are significant and how they might affect the plan.
And just for clarity, I should note there is actually a SOC-3 as well, which is a report for public use. I just mention at the end because even though it reflects the highest level of certification, it’s rare in practice, except for large data centers, and is not the kind of thing a plan sponsor would typically expect to see.
Josh Lichtenstein: Thank you so much for the overview, Ed. That was really very helpful in understanding some of this terminology and trying to put it in context. One thing I think is clear from the DOL’s guidance is they’re expecting plan sponsors to thoroughly vet the recordkeepers on their cybersecurity protocols, but, David, what advice would you give to our smaller employers and plan sponsors that are listening in that may not necessarily have the capacity to conduct this level of vetting or the bargaining leverage to negotiate any enhanced assurances from the recordkeepers on these cybersecurity issues?
David Kirchner: As you know, Josh, small employers already have a difficult time negotiating recordkeeping fees, let alone cybersecurity protocols. That being said, it may be difficult for them to seek appropriate contractual protections from recordkeepers. The larger recordkeepers will have strong compliance documentation and SOC-2 audit reports, as Ed mentioned earlier, but they will likely also be more difficult to negotiate with. When dealing with larger recordkeepers, plan sponsors of all sizes should engage their information security teams to review the recordkeeper’s cybersecurity policy and documentation, and identify gaps or develop comfort regarding the vendor’s alternative security controls.
Josh Lichtenstein: Thank you for that, David. Pivoting slightly, I thought that it was interesting the DOL stopped short of formally saying in the guidance that there is a fiduciary responsibility to mitigate cybersecurity risks in retirement plans. And I thought it was notable that it was actually a break from a recent U.S. Government Accountability Office report, which recommended that the Department of Labor say that this is a fiduciary obligation. Still, I think it’s clear from the DOL’s guidance that it’s intended to impose new minimum expectations for addressing cybersecurity risks in defined contribution plans, and to also outline a new set of responsibilities and burdens that will fall on plan sponsors. So, David, what are your thoughts on how the market may react to all of these new obligations and this new guidance?
David Kirchner: Well, Josh, there are various motivations for sponsoring a retirement plan for employees, but doing so brings a whole host of administrative, logistical, and in some cases, fiduciary implications. You can now add cybersecurity to that mix. With the launch of the pooled employer plans, or what we refer to as PEPs, earlier this year, employers could consider outsourcing many of the attendant duties of maintaining a retirement plan, including cybersecurity, to a pooled plan provider. While we are very much in the initial stages of the PEP era, this new guidance offers yet another consideration to employers that are on the fence about sponsoring a retirement plan or joining a PEP.
Josh Lichtenstein: Well, that’s probably the perfect note for us to end on today as we are planning on discussing PEPs on our next podcast. Thank you so much to Ed and David for joining me today, and sharing some incredibly valuable insights in these critical, emerging areas. For more information on the topics that we discussed or any other aspects of 401(k) litigation risk assessment and management, please visit our website at www.ropesgray.com. If we can help you navigate this complex and rapidly developing area of the law, please do not hesitate to contact any of us. You can also subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thank you again for listening, and take care.