The Effect of DOL’s New Cybersecurity Guidance on Retirement and Health/Welfare Plans
The Department of Labor (or DOL) released new guidance regarding cybersecurity in April 2021. This covered three important factors: hiring service providers, providing online security tips, and new cybersecurity best practices.
These were separated into three documents. They included checklists for plan sponsors who want to be certain that the contracts they set with service providers are both effective and compliant with regulations, as well as guidance for individuals who are looking to improve their safety and security while online.
These documents were issued to plan fiduciaries and participants. Since this is an additional layer of compliance that goes above and beyond HIPAA, it’s particularly important to retirement plans and health/welfare plans.
How the DOL Guidance is Being Applied
Since the new guidelines were announced, many large service providers and record-keepers have started to make changes in order to comply with this guidance. Nonetheless, the DOL has not formally solicited comments from the legal, TPA, custodian, investment management, or trustee communities before issuing this new guidance.
This is unusual. In most cases, the DOL does generally take comments and considerations from these sectors.
The abandonment of this usual ‘white paper’ approach is strange, but in this case, not unwarranted. By taking advice directly from cybersecurity experts, the DOL has been able to provide effective and comprehensive guideline updates directly.
It is also important to note that no delayed ‘effective’ date was provided, and so this guidance is considered to be immediately enforceable. The DOL is now asking about cybersecurity during routine reviews and audits, which is something that affected industries and sectors should be aware of.
Of all those who are affected by this, however, we believe that fiduciaries should be preparing now.
Actions You Can Take Today
There is no such thing as preparing too early, especially with the immediately enforceable nature of these new guidelines. Fiduciaries should take the following steps as soon as possible:
- Reach out to your current providers, or us by clicking here, and enquire about their current progress in evaluating or implementing the new DOL cybersecurity guidelines. Discuss their timeline and get firm commitments as to when you can see the documentation.
- Have an open and honest discussion with your providers about if they will or will not comply with all aspects of this guidance. Likewise, determine which (if any) aspects they have concerns about.
- Review all of your contracts to assess your current situation. Figure out where you and your current service providers fall short and what you can do to address these weaknesses and shortfalls.
- Plan out your desired progress and make consistent and methodical changes to ensure that you are bringing your processes in line with the new DOL guidance as quickly as possible
- Keep a paper trail to ensure that you have proof of the changes you have made and the due diligence you have shown with regard to these new DOL guidelines.
Of course, there are some issues with the current DOL guidance. At the moment, these guidelines are very macro in nature and do not provide a lot of detail. This means that it can be hard to determine just how compliant you and your providers currently are – and harder still to determine the precise changes that need to be made.
For example, while HIPAA provides special rules for situations such as enrollment, under which ‘basic’ information’ is not considered protected health information, the new DOL cybersecurity guidance is not always so clear on what information is considered ‘basic.’ These uncertainties are hard for business owners and service providers of all kinds when it comes to planning and developing ways that satisfy their responsibilities.
As such, we recommend that you seek legal advice if you are in any uncertainty about your compliance or the compliance of your service providers.