Plan fiduciaries are tasked with many responsibilities like selecting the best third party administrator (TPA) for the Plan. TPAs could include plan record keepers, trustees, or payroll providers. While each plan fiduciary will use different criteria when selecting the best fit for its plan, all fiduciaries should evaluate the cybersecurity practices for all providers.
On April 14, 2021, the Department of Labor (DOL) issued sub-regulatory guidance addressing cybersecurity practices of plan sponsors, plan service providers, and plan participants. This is the first guidance specifically addressing cybersecurity the DOL has issued. While it is not authoritative at this point, there are still some important factors that should be taken into consideration when selecting a TPA and when evaluating a plan’s current TPA.
The first section of the guidance that was issued includes, “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.” It is recommended that the plan fiduciary or plan sponsor ask the service providers about their security standards and related policies. This could also include requesting and reviewing the TPAs security audit results to ensure they are following the standards and policies they have in place. Additionally, plan fiduciaries and sponsors should inquire about any past security breaches and how they were handled. They should also find out if the TPAs have specific insurance policies that would cover potential losses caused by a cybersecurity breach.
The second section of the guidance that was issued includes, “Cybersecurity Program Best Practices.” While this was specifically targeted to service providers, the DOL recommends plan fiduciaries and plan sponsors use this guidance when evaluating their current TPAs or any potential new TPAs. Some of the best practices listed include having a formal cybersecurity program, conducting annual risk assessments, having an annual third-party audit of security controls, and encrypting sensitive data while it is stored and while it is in transit. When selecting a new TPA or evaluating a current TPA, these best practices will most likely uncover more questions that the plan fiduciaries or plan sponsors should be asking.
The more information plan fiduciaries have when making decisions on their TPAs, the better. As more and more information is housed electronically, cybersecurity incidents are increasing over time. The fact that plans include a significant amount of confidential personal data for plan participants along with high dollar amounts of assets makes them potential targets of cyber-criminals. Plan fiduciaries have a responsibility to do what they can to properly mitigate cybersecurity risk and to protect their participants.