Department of Labor Cybersecurity Guidelines Become Rules
by Victoria Tollossa
DOL Cybersecurity Guidance
DOL issued three forms of cybersecurity guidance in April. The first is Online Security Tips, which is targeted at plan participants and beneficiaries. It includes basic steps that individuals can take to safeguard themselves. While it may be helpful to provide the guidance to employees, it is otherwise inapplicable to businesses.
The other two forms are applicable to organizations. Tips for Hiring a Service Provider is targeted at plan sponsors and fiduciaries seeking to hire a service provider. Cybersecurity Program Best Practices targets plan fiduciaries and record keepers.
Tips for Hiring a Service Provider
Tips for Hiring a Service Provider targets plan sponsors and fiduciaries. The beginning of the guidance points to the legal hook: “business owners and fiduciaries . . . responsibilit[y] under ERISA to prudently select and monitory . . . service providers, . . .”
This guidance provides high-level instructions on how to conduct vendor risk management. This includes how to evaluate vendors and what terms to include in vendor contracts. It lacks some key concepts found in other guidance documents and regulations, but if DOL intends to use this guidance document as a minimum floor for plan sponsors and fiduciaries, then it provides a decent baseline without being overly burdensome.
Plan sponsors and fiduciaries should review their service provider contracts and confirm they contain the appropriate provisions and begin to develop vendor risk assessments prior to retaining new vendors.
Cybersecurity Program Best Practices
The more impactful guidance is Cybersecurity Program Best Practices. This guidance, targeted at plan fiduciaries and record keepers, provides 12 cybersecurity controls that should be implemented. None of these controls are overly burdensome, and some courts have imposed such controls on employers through litigation already.
Again, these controls may serve as a floor, although they are more detailed—and so more burdensome—than the vendor risk management guidance.
Plan fiduciaries and record keeps should begin reviewing their cybersecurity posture against these controls. They will also want to ensure that their cybersecurity program is developing compliance documentation for auditors to review.
DOL Cybersecurity Audits
Although DOL issued these documents as guidance, several firms have reported that DOL auditors are examining cybersecurity during scheduled audits. Some of the reported document requests have been extensive.
Cybersecurity audits can be a challenge. This is especially true when the agency conducting the audit is just starting to assess cybersecurity, and when the standards are somewhat vague, which are both true for the DOL audits.
It is critical for organizations subject to DOL audits to first establish an adequate cybersecurity program and then prepare for a cybersecurity audit.
Establishing an adequate program can take months, if not years. This makes DOL’s rapid movement from initial guidance to audit potentially problematic for many organizations. They must establish policies, conduct risk assessments, train their workforce, and upgrade their IT and security infrastructure.
Preparing for an audit can take time, as well. Organizations must ensure all paperwork is gathered and up to date, they must train interview subjects, and they may have to seek documents from service providers for work they outsource.
If You Need Assistance
We can help you develop a cybersecurity program, assess your current compliance, or prepare for an audit. We offer flat fee options for some of the specific requirements, such as risk assessments.
We also offer assistance on a broad range of labor and employment matters, including the other targets of DOL audits.
If you have any questions about this alert or any of the services we offer, please reach out to our legal team below.