By: HUB’s EB Compliance Team

Back in April, the U.S. Department of Labor (“DOL”) issued guidance on cybersecurity best practices. While the guidance was targeted to retirement plans, the “best practices” document refers generally to any ERISA-covered plan. Therefore, sponsors of health and welfare plans may also want to take note.

Background
In March, the Government Accountability Office (“GAO”) issued a report on cybersecurity, specifically in 401(k) plans. At a high level, the GAO concluded that there are significant assets in retirement plans like 401(k) plans (around $6.3 trillion) and that the DOL had not clarified whether ERISA fiduciaries were responsible for mitigating cybersecurity risks. The DOL’s guidance was issued in response to that report.

Where’s the Data?
The guidance focuses primarily on what service providers to ERISA plans should do. Why service providers? To borrow a quote (mis)attributed to notorious bank robber Willie Sutton, “that’s where the money is” and the data as well. The reality is most employers, while they do have sensitive data on their employees, likely do not have direct access to all the same data that service providers have. For example, your insurer or third-party administrator has health insurance claims information and other detailed information that most employers do not access on a regular basis in part due to Health Insurance Portability and Accountability Act (“HIPAA”) concerns.

A Sense of Security
The best practices document goes into some detail about the different features a strong cybersecurity program should have. In broad strokes, it says that plan service providers should:

  1. Have a formal, well documented cybersecurity program. – This will help identify the risks and how to protect against them, as well as how to respond to cybersecurity events.
  2. Conduct prudent annual risk assessments. – This helps keep the program up to date on the latest risks.
  3. Have a reliable annual third-party audit of security controls. – This gives an unbiased view of the strengths and weaknesses of a cybersecurity program.
  4. Clearly define and assign information security roles and responsibilities. – If it’s “everybody’s job” then in reality it’s nobody’s job, so someone needs to be responsible.
  5. Have strong access control procedures. – This makes sure users are who they say they are so that only the right people have access to the data.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. – Ultimately, if the data is being kept somewhere else, that provider’s security also matters.
  7. Conduct periodic cybersecurity awareness training. – Your weakest link is often your employees. The greatest program in the world can be felled by a single employee clicking on a phishing link. Training employees to spot fakes helps prevent that.
  8. Implement and manage a secure system development life cycle (SDLC) program. – If applications are being developed internally, it’s important to make sure that process of development is secure as well.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. – What does the service provider do when things go wrong?
  10. Encrypt sensitive data, stored and in transit. – This speaks for itself.
  11. Implement strong technical controls in accordance with best security practices. – Having good technical defenses helps. If a system is difficult to crack, the bad guys may move on to an easier target.
  12. Appropriately respond to past cybersecurity incidents. – This includes a thorough investigation, notifying cyber insurers, and notifying law enforcement, if appropriate. Of course, it also includes fixing problems to prevent this from happening again.

Practices (and Process), not Perfection
For health and welfare plan sponsors, the good news is that that in many cases, these practices are already a focus of their vendors, especially given legislation earlier this year designed to encourage HIPAA covered entities to adopt some security practices.

Still, the guidance, while retirement-plan focused, provides a good roadmap for all sponsors of plans (including those not covered by ERISA) to consider in evaluating their service providers as part of their fiduciary due diligence. While many service providers will already be focusing on this, in part due to HIPAA, these best practices are in some ways more specific than what HIPAA generally requires. Additionally, to the extent plan sponsors do maintain sensitive data related to their plans, they should also consider evaluating their own cybersecurity practices in light of this guidance. Under ERISA, fiduciary prudence is a process, so asking the right questions, getting and evaluating satisfactory answers, and making (and documenting) a reasoned decision is how to maximize fiduciary protection.

Finally, whether it’s service providers or plan sponsors, it is worth noting that these are best practices. Therefore, not every service provider will necessarily have to adopt every recommendation in this document. However, employers should evaluate each service provider’s practices in light of the data that they retain.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

The information herein is intended to be educational only and is based on information that is generally available. HUB International makes no representation or warranty as to its accuracy and is not obligated to update the information should it change in the future. The information is not intended to be legal or tax advice. Consult your attorney and/or professional advisor as to your organization’s specific circumstances and legal, tax or other requirements.