This article has been written by Parul Chaudhary pursuing the Certificate Course In Technology Contracts from LawSikho.Â
This article has been published by Oishika Banerji.Â
Table of Contents
Introduction to ERISA
The Employee Retirement Income Security Act (ERISA) of 1974 is a federal regulation that establishes basic rules for numerous freely established retirement and health plans in the private sector in order to safeguard employees. It primarily specifies the federal income tax consequences of transactions involving employee benefit schemes. ERISA was designed to safeguard the rights of participants and beneficiaries in employee benefit plans. ERISA mandates that plans provide policy participants with information, including key details regarding scheme features and funding. It establishes minimum participation, retention, benefit accumulation, and funding requirements. ERISA specifies fiduciary obligations for people who administer and control plan assets; it mandates plans to provide a grievance and appeals procedure for individuals to receive benefits from their plans. It also allows individuals the right to prosecute payments and fiduciary duty violations. ERISA does not apply to plans developed or managed by government bodies, church authorities with respect to their employees, or plans administered only to abide by the applicable workers compensation, unemployment, or disability legislation. ERISA also excludes unfunded excess benefits packages and plans operated outside the United States principally for the welfare of non-resident foreigners. Employer-sponsored healthcare plans are subject to ERISA’s codes and procedures as well. ERISA’s major goal is to safeguard the rights of employees who engage in employee benefit plans, such as retirement and healthcare plans.
Protections are available to both retirees and plan beneficiaries
ERISA governs plan managers and sponsors, ensuring that they deliver the plan participants with information and uphold their fiduciary responsibilities. Anyone who works for a partnership, limited liability company, C-corporation, S-corporation, nonprofit organization, or even a single-employee business is covered by ERISA. Although ERISA does not mandate an employer to provide healthcare coverage to its employees or pensioners, it does govern the operation of such a plan if one is established. Employers are not required under ERISA to establish pension programs. Similarly, it is not required that plans provide a minimum amount of benefits as a general rule; instead, ERISA governs how a pension plan operates once it has been established.
New cybersecurity guidelines for Erisa retirement plans
The Department of Labor (DOL) recently released first-time retirement plan recommendations to address cybersecurity risks to businesses, plan fiduciaries, plan participants, and record keepers.
The advice comes in the form of proposed guidelines for protecting retirement benefits by providing employers and plan service providers with robust cybersecurity policies as well as web security suggestions for participants.
The Department of Labor’s cybersecurity advisory has been long overdue. The ERISA Advisory Council identified privacy and cybersecurity vulnerabilities to employee benefits in reports released in 2011 and 2016, but the department had not previously offered any recommendations on how to manage such risks or to what degree doing so was obligatory.
The issue is that, with huge sums collected in retirement and 401(k) pension plans, cybersecurity attacks might compromise participant data and plan funds if adequate safeguards are not in place. According to the Department of Labor, ERISA-regulated retirement funds have millions of members and assets totaling $9.3 trillion.
Retirement plans collect a great deal of personal and financial information. As a result, attackers are prone to target the firms and individuals who sponsor, service, and benefit from these schemes.
The DOL’s guideline is meant to supplement existing Employee Benefits Security Administration (EBSA) regulations on electronic record preservation and electronic distribution of disclosures to plan participants and beneficiaries. Electronic record-keeping systems must have appropriate controls and adequate record management practices in place, and digital disclosure systems must have safeguards to protect personally identifiable information, according to the standards. The guideline reaffirms the Department of Labor’s position that protection from cyberattacks is a fiduciary responsibility and that plan trustees must take reasonable and adequate actions to protect their retirement plans and related participant data from cyberattacks.
The advice from DOL is divided into three sections:
(1) Best practices for cybersecurity programs.
(2) Suggestions for employing service providers with suitable cybersecurity procedures.
(3) Internet security measures for policyholders to secure their accounts.
Best practices for cybersecurity programs
The first section of the DOL advice outlines a set of cybersecurity benchmarks. This section is for record-keepers and other service providers who are in charge of managing cybersecurity vulnerabilities, as well as plan fiduciaries who are determining which service providers to contract. Network operators should have a clear, officially written, well-documented cybersecurity program in place that protects IT architecture, information systems, and data from both intrinsic and extrinsic threats, according to the regulations.
The framework should include processes and controls for identifying risks, protecting assets, systems, and data, detecting, responding to, and recovering from cybersecurity incidents, and disclosing occurrences when necessary. The cybersecurity policies of service providers should also be audited by a third-party auditor and subjected to annual vulnerability assessment.
Apart from these practices, here are some other recommendations:
1) Cybersecurity awareness training on a regular basis. (minimal requirement: annually)
2) Implement a system development life cycle (SDLC) plan that is secure.
3) Implement a business sustainability plan that includes continuity of operations, catastrophe recovery, and rapid response to incidents.
4) Encrypt sensitive data in transit and at rest.
5) Strongly regulate controls over the data management systems.
6) Each and every asset or data housed in a cloud-based service or maintained by a third-party service provider should be subject to adequate security inspections and independent risk analyses, according to the Department of Labor.
Suggestions for employing service providers with suitable cybersecurity procedures
The second section of the DOL regulation is aimed at plan sponsors and other plan fiduciaries, and it explains how to assess a service provider’s cybersecurity policies as part of fiduciary duty to wisely select and manage a plan’s service providers. Plan fiduciaries should conduct due diligence by analyzing and comparing the service provider’s data security principles and requirements to known industry models and guidelines, according to the advisory.
Plan fiduciaries should think about how a service provider assesses its cybersecurity policies, such as if it hires a third-party auditor to conduct an annual audit. It also advises plan fiduciaries to assess a service provider’s cybersecurity track record, particularly details on previous security breaches and other legal processes in which the service provider is engaged. This also involves an in-depth inquiry about the service provider’s cybersecurity coverage.
A plan fiduciary should also incorporate numerous cybersecurity-related contract conditions in its relationship with service providers, according to the DOL.
These could include terms such as:
1) A right to evaluate cybersecurity audit reports; The service provider must carry insurance that covers losses caused by security lapses, including those caused not just by external threats but also by the service provider’s, its employees’, or its contractors’ malfeasance;
2) Continual adherence to cybersecurity requirements;
3) Clear guidelines for the use and sharing of personal data; prompt reporting and cooperation in the case of a data breach; and adherence to federal and state record retention and deletion policies.
The Department of Labor also urges plan fiduciaries to steer clear of contract restrictions that limit a service provider’s liability for IT security breaches.
Internet security measures for Policyholders to secure their accounts
The guidance concludes with some preliminary tips for plan members and beneficiaries who frequently check and manage their retirement accounts online in order to minimize the risk of fraud and loss. Employers should inform employees about the importance of cybersecurity, and consider including these ideas in employee communications and instructional sessions. These suggestions are:
1) Create an online account, set it up, and monitor it on a regular basis.
2) Create secure passwords.
3) Enable multi-factor verification
4) Maintain up-to-date contact details.
5) Close or delete any accounts that are no longer in use.
6) Be aware of free Wi-Fi.
7) Be on the lookout for phishing scams.
8) Use anti-malware software and keep apps and software updated.
9) Understand how to report identity theft and cybersecurity mishaps.
Fortunately for plan fiduciaries, even if the attack results in the loss of plan finances, the fact that a cyberattack has happened does not always mean that the fiduciary has violated its duty.
According to ERISA, fiduciaries must operate with substantial care, skill, discretion, and diligence, which means that a fiduciary can defend against a complaint by demonstrating that reasonable and effective cybersecurity procedures were in place to prevent a breach. The DOL’s advice can help fiduciaries determine the measures that should be implemented in such a situation.
Conclusion
Most of the ideas in the three advice materials are based on quality, widely accepted cybersecurity practices, and recommendations. As a result, operational leaders at organizations that sponsor defined benefit plans may find that EBSA’s suggestions are comparable to cybersecurity policies and processes that they have already adopted in their company operations. Other ERISA plan fiduciaries, on the other hand, who have not had a professional need to keep up with the ever-changing cybersecurity landscape may be unfamiliar with this counsel. Fiduciaries will most likely seek training from advisers who can handle the unusual overlap between ERISA fiduciary responsibilities and retirement plan compliance matters, as well as the proper cybersecurity and privacy frameworks, in such circumstances. The DOL considers cybersecurity to be a fiduciary obligation, according to its guideline. As a result, for their retirement plans, participants, and plan service providers, employers and plan fiduciaries should seriously examine these recommendations. They should examine current processes and provider contracts, and consider implementing a cybersecurity policy that incorporates the apt practice recommendations.
References
2) https://www.jdsupra.com/legalnews/new-erisa-guidance-on-retirement-plan-6865261/Â
3) https://www.dol.gov/general/topic/retirement/erisa
4) https://www.investopedia.com/terms/e/erisa.aspÂ
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: https://t.me/joinchat/L9vr7LmS9pJjYTQ9
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
