Skip to main content

You are here

Advertisement

DOL Cyber Scrutiny Higher for ‘Those Running the Systems’

Government Affairs

The Department of Labor (DOL) wants everyone to be attentive to cybersecurity protocols as a fiduciary responsibility, but there’s a higher expectation for those “running the systems.”

Tim Hauser, Deputy Assistant Secretary for National Office Operations at the DOL’s Employee Benefits Security Administration, spoke with ARA CEO Brian Graff at the 2021 NAPA DC Fly-In Forum in a wide-ranging discussion that ran the gamut from the 2020-02 Prohibited Transaction Exemption and its impact on rollover recommendations, and a potential revisit of the fiduciary regulation to the recent DOL guidance on cybersecurity practices. 

Key Takeaways

  • The most detailed proscriptive best practices in the recent DOL guidance were aimed at recordkeepers and “those running the systems”—and the DOL has higher expectations on cybersecurity practices among those organizations.
  • Costs/risk exposure are a relevant consideration—the Labor Department would expect quite a bit more of those who have more data, and more exposure. 
  • DOL’s recent cybersecurity guidance was intended to heighten awareness, and remind fiduciaries of their responsibility to safeguard participant accounts/plan assets.
  • The DOL is asking about cybersecurity procedures as part of audits—but intent isn’t punitive, but to help improve current practices.
  • More likely to have a problem with the Labor Department if there has been a data breach, and nothing was done to address it.

As for what the DOL was hoping to accomplish in issuing the best practices documents on cybersecurity, Hauser explained that first and foremost, they wanted to make clear that normal fiduciary obligations apply here. 

“If you’re responsible for plan administration and you’re hiring somebody to run your systems, keep that data, be your recordkeeper, you need to be attentive to whether or not they’re observing good cybersecurity practices,” he noted. 

Hauser also confirmed that as a routine part of their pension audits, the Labor Department is now asking people about their cybersecurity practices. Asked by Graff what the plan is for the information they’re gathering, Hauser noted that right now their main goal is to find out whether plan administrators and fiduciaries are adhering to good cyber practices. “This is not an initiative where we’re hoping to find lots of breaches and recover a lot of money. We’re hoping to help people do things that keep [cyberbreaches] from ever happening.”

Hauser did note, however, that in specific cases where there have been cybersecurity breaches and there has been criminal conduct, the Department has been involved in addressing the breach. He also cautioned that while the intent of the questions wasn’t punitive, it would be another issue altogether if there had been a breach, and no attempts to address the issue had been made. 

Hauser acknowledged that the most detailed proscriptive best practices was aimed at recordkeepers, “those running the systems.” While he noted that the DOL would expect to see different—and ostensibly more extensive—procedures in place among providers, he cautioned that the Department would nonetheless want to know that the plan sponsor/fiduciaries were being “thoughtful” about access to the data, protecting access with anti-virus software and secure passwords, multi-factor authentication and basic data handling hygiene—albeit with a sensitivity to balancing the cost and risk/likelihood of transgression.