Benefits Byte

September 258, 2022

Council Testifies Before ERISA Advisory Council on Cybersecurity 

The ERISA Advisory Council held its latest round of hearings on September 8 and 9 to discuss this year’s topics of Cybersecurity Issues Affecting Health Benefit Plans and Cybersecurity Insurance and Employee Benefit Plans. Testifying on the American Benefits Council’s behalf were Kent Mason and Michael Hadley, both partners with Davis and Harman, LLP., focusing their remarks on cybersecurity insurance issues. Also appearing at the hearing to provide an update on the department’s employee benefits policy agenda was Ali Khawar, acting assistant secretary of the DOL Employee Benefits Security Administration (EBSA). 

The EAC is a group of benefits experts established by Congress and appointed by the U.S. Department of Labor (DOL) to identify emerging benefits issues and advise the Secretary of Labor on health and retirement issues. The EAC holds hearings on the topics it selects and submits a report of findings and non-binding recommendations to the Secretary of Labor. A list of the speakers can be viewed on the September 8 agenda and September 9 agenda. 

Background 

As we reported in the April 16, 2021, Benefits Byte, DOL and EBSA previously issued subregulatory guidance to help retirement plan sponsors reduce cybersecurity risks. As outlined in a news release, the guidance includes: 

  • Cybersecurity Program Best Practices: This document asserts that “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks” and provides a list of 12 best practices for plan fiduciaries and recordkeepers in managing their cybersecurity responsibilities.
  • Tips for Hiring a Service Provider: This document is intended to help plan sponsors and fiduciaries prudently select a service provider and monitor their activities, as required by ERISA. The document includes six tips that focus on assessing a service provider’s preparedness for information technology breaches and compliance with cybersecurity standards. 
  • Online Security Tips: This document is designed to provide plan participants and beneficiaries who check their retirement accounts online with basic rules to reduce the risk of fraud and loss. 

The DOL guidance follows a February 2021 Government Accountability Office (GAO) report recommending that DOL (1) clarify whether it is a fiduciary's responsibility to mitigate cybersecurity risks and (2) establish minimum requirements for addressing these risks (see the report highlights).

The EAC’s stated goals on the topic of cybersecurity insurance are to: 

  • gain an understanding of cybersecurity insurers and the current market for cybersecurity insurance. 
  • investigate the terms of typical cybersecurity insurance policies 
  • understand of the views of plan administrators (including the trustees of multiemployer plans) with regard to cybersecurity insurance.  
  • explore the interplay between a plan’s existing “cyber-hygiene” practices and the availability (and cost) of cybersecurity insurance coverage.  

Council Testimony 

Mason led off the Council’s oral testimony by previewing a survey that will soon be shared with Council members to get a sense of employer practices and attitudes with respect to cybersecurity insurance. (Invitations to take this survey have been sent to one person at each plan sponsor member company.) 

In developing this survey, the core question that has arisen is whether there is a fiduciary obligation on the part of a plan sponsor or service provider to make a participant whole in cases where a cybersecurity incident – for which neither the plan sponsor nor service provider is at fault – results in defined contribution plan losses.  

The Council’s legal analysis has determined that there is no law to support the notion that a plan sponsor or service provider are liable in such cases. Furthermore, in instances where the plan sponsor or service provider is culpable, traditional fiduciary liability insurance should cover those losses. Mason asserted that any position to the contrary would place employers in an untenable position as a “guarantor” of plan assets and could potentially bankrupt many small businesses. (With respect to defined benefit plans, where the benefit is guaranteed, the question is more complicated, as Mason acknowledged.) 

On the matter of separate cybersecurity insurance coverage, Mason said employers were “skeptical that there is affordable coverage available that would cover losses in cases where employers were not at fault.” 

More generally, Mason pointed out a growing concern that the DOL, in the retirement space, has swung too far towards sub regulatory guidance rather than regulatory proposals with opportunities for stakeholders to comment. He cited the agency’s recent guidance on missing retirement plan participants that was ultimately counterproductive because of a lack of clarity (see the January 14, 2021, Benefits Byte). 

Update from EBSA’s Acting Assistant Secretary 

In providing a status report on EBSA’s ongoing activities, Khawar focused on four open issues: 

  • Proposed regulations revising and superseding the agency’s existing procedure governing the filing and processing of applications for administrative exemptions from the prohibited transaction provisions of ERISA, the Internal Revenue Code and the Federal Employees' Retirement System Act of 1986 (FERSA). In May 31 written comments on the proposal, the Council urged DOL and EBSA to reverse course and provide more opportunities for retirement plan sponsors to modernize their plans (see the June 2 Benefits Byte). 
  • The issuance of Interpretive Bulletin 2022-01, which updates the agency’s guidance on the “independence” requirement for accountants who audit employee benefit plans under ERISA. 
  • Improving mental health coverage generally, even beyond the ongoing enforcement action under the Mental Health Parity and Addiction Equity Act (MHPAEA). “Expect to see a lot more” activity in the area of mental health, Khawar said. In June, the Council provided specific guidance recommendations to DOL (along with the U.S. Treasury Department and the Department of Health and Human Services) requesting additional guidance regarding compliance with MHPAEA and generally recommending that the agencies focus on supporting plan sponsors rather than punishing perceived violations.  (Proposed regulations and sub-regulatory guidance on mental health parity are expected sometime soon).

Asked to comment specifically on EBSA’s position on cybersecurity, Khawar deferred any discussion of formal regulations with a notice and comment period. Instead, he referred back to the agency’s 2021 subregulatory guidance, which he said “outlined how a plan sponsor that really wants to take these issues seriously should think about it,” adding, “I don’t know why anyone wouldn’t take it seriously.” 

For more information on retirement plan issues, including cybersecurity or fiduciary insurance for defined contribution plans, contact Lynn Dudley, senior vice president, global retirement and compensation policy, or?Diann Howland, vice president, legislative affairs. For more information on health policy regulatory developments, including mental health parity, contact Katy Johnson, senior counsel, health policy.