The DOL’s Advisory Council on Employee Welfare and Pension Benefit Plans (known as the DOL ERISA Advisory Council) issued a report, Cybersecurity Considerations for Benefit, which summarizes its examination of and recommendations regarding cybersecurity considerations as they relate to pension and welfare benefit plans. The Council focused specifically on outlining elements of cyber risk management strategies that can be scaled, or adjusted, based on sponsor and plan size, type, resources and operational complexity in order to provide useful information to plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans.
The Council also observed that while cybersecurity is a focus area for organizations with regard to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Benefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the benefit plan administration process. This data and asset information should be specifically considered when implementing cybersecurity risk management measures. Because benefit plans are regulated by the Employee Retirement Income Security Act of 1974 (“ERISA”), anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries and service providers arising under ERISA.
Plan sponsors and fiduciaries should consider cybersecurity in safeguarding benefit plan data and assets, as well as when making decisions to select or retain a service provider. The Council believes that the Department of Labor should raise awareness about cybersecurity risks and the key elements for developing a cybersecurity strategy specifically focused on benefit plans. The Council also provides suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.