Cybersecurity Considerations for the DOL’s New Electronic Disclosure Rule

February 2020

By Greg Garrett, Beth Lee Garner, and Mary Espinosa

The U.S. Department of Labor (DOL) announced a proposed new rule in October 2019 that would allow retirement plan sponsors to post plan disclosures online, rather than having to deliver this information via physical mail. While the DOL has emphasized that the proposed rule should result in increased convenience and reduced printing and mail expenses for companies, plan sponsors should very seriously consider the cybersecurity issues that accompany the electronic disclosure of sensitive plan and participant information. In fact, it is their fiduciary responsibility to do so.
 

Background on the Electronic Disclosure Rule

The proposed “Retirement Plans Electronic Disclosure Safe Harbor Rule” offers plan sponsors more options to fulfill their obligation to provide required documents and disclosures to participants and beneficiaries. The DOL expects that the rule, when finalized, will save about $2.4 billion on printing and mailing costs over the next 10 years. The rule applies to most plans covered by the 1974 Employee Retirement Income Security Act (ERISA), but it doesn’t cover employee welfare plans.

The proposed rule includes a safe harbor option allowing plan sponsors to put certain notices on a website, instead of sending paper announcements via physical mail. Before the transition to electronic disclosures, participants will be notified of the coming change and will be provided the opportunity to opt out of the new procedure and continue receiving printed information via mail.
 

Electronic Disclosure Heightens Cybersecurity Risks

While transitioning to a modern communication format to increase convenience and lower costs sounds very attractive, plan sponsors have a fiduciary responsibility to ensure that participants’ data are protected. The proposed rule remains vague regarding data protection requirements, simply stating that plan administrators must take reasonable measures to ensure confidential information is safeguarded.

Benefit plan documents carry a multitude of sensitive information, such as Social Security numbers, account balances, and home addresses. BDO research into “Cybersecurity Guidelines for C-Suite Executives” shows that intellectual property, personally identifiable information, protected health information, and payment and card information are highly valuable data points targeted by hackers. Even if this information is stored by service providers, plan sponsors are still obligated by law to ensure the information is protected.
 

How Plan Sponsors Can Prepare for Electronic Disclosure

The good news is that plan sponsors have time to address potential cybersecurity issues as well as review and update current processes before the proposed rule goes into effect. Once the electronic disclosure rule is finalized, it will become effective 60 days after it is published in the Federal Register. The rule will not apply to plans until January 1 of the year following the final rule, so the soonest the rule will be in effect is January 1, 2021.

In the interim, plan sponsors should take a close look at the cybersecurity controls needed to protect sensitive data and other information. BDO recommends a threat-based cybersecurity approach to prevent cyber-attacks and limit the costs associated with a potential breach. This approach analyses a company’s unique threat profile, identifies at-risk areas, and creates a range of proactive steps to safeguard sensitive information.

Some guidelines to a threat-based cybersecurity approach include:
  • Hiring an independent firm to evaluate specific areas, including vulnerabilities with email, networks, endpoints, spear-phishing, and other security assessments
  • Using advanced software encryption, including two-factor authentication, above and beyond password identification
  • Offering effective cybersecurity education and training for the entire workforce
  • Developing a solid governance plan to map, track, and secure all data
  • Reviewing and testing the organization’s Incident Response Plan (IRP)
  • Verifying compliance of the organization’s cybersecurity plan among service providers