Saturday, May 08, 2021

Guidance 'Counseling'

 When the Labor Department issued last month what it called “new guidance” that it further described as “the first time the department’s Employee Benefits Security Administration has issued cybersecurity guidance”—well, I, for one, was expecting… guidance. 

However, rather than an advisory opinion, information letter or even a field assistance bulletin, it turned out instead to be three documents outlining what were termed “best practices for maintaining cybersecurity.”

The issue of cybersecurity has, of course, loomed large in recent months, reportedly emerging as a focus in Labor Department audits and as a point of contention[i] in participant lawsuits. In fact, even the preamble to the final e-delivery regulations stated a year ago that “…the Department expects that many plan administrators, or their service or investment providers, already have secure systems in place to protect covered individuals’ personal information.” 

Now, in fairness, the Labor Department press release did state that it was guidance on those best practices—not that there wasn’t guidance on cybersecurity to be found in those documents. 


Consider that in the component labelled “Cybersecurity Program Best Practices,” none other than the Labor Department itself says, in no uncertain terms, “Plans’ service providers should…” and then proceeds to enumerate 12 precise and distinct elements. The first of these is no less than to “have a formal, well documented cybersecurity program,” followed immediately by “conduct prudent annual risk assessments.” 

Doubtless there are some who would prefer to have a more detailed expectation as to the particulars of those practices, some specific sense as to exactly what constitutes a “cybersecurity program,” the criteria for “strong access control procedures” and what is required in order to “appropriately respond” to past cybersecurity incidents. 

Make no mistake: Plan fiduciaries that aren’t attentive to the issue, much less the best practice guidance and its detailed outlines as to what would constitute “best” practices—well, perhaps the high-level admonitions leave too wide open the determination as to how those mesh with ERISA’s fiduciary standard. That said, and even if the Labor Department has yet to turn a sharp eye upon such things, the plaintiffs’ bar soon surely will.

The elements outlined, while broad, seem to offer at least a basic structure and specifics sufficient to validate an existing program, or—should one not yet be in place—begin its construction. And so, even if there are some specific criteria not yet detailed, plan fiduciaries can know, it seems to me—regardless of this particular guidance—for a certainty that the standards of considering, hiring and monitoring the processes and practices of those who provide support to their plan and its participants require—as they always have—a standard of care and loyalty that has been described as “the highest known to the law.” 

And surely that includes pursuing best practices in protecting both the information and account balances to which they are entrusted. 

- Nevin E. Adams, JD

No comments: