Benefits Monthly Minute
There’s a First Time for Everything: DOL Releases Retirement Plan Cybersecurity Best Practices
Plan sponsors, fiduciaries, record keepers and participants now have official DOL guidance addressing cybersecurity best practices for ERISA retirement plans. On April 14, 2021, EBSA released its cybersecurity guidance in three forms:
- Tips for Hiring a Service Provider – intended to help business owners and fiduciaries satisfy ERISA’s duty to prudently select and monitor service providers, these six tips include:
- Inquiring about the service providers’ information security standards, practices and policies, and audit results, and comparing them to the industry standards.
- Asking how the service provider validates its practices, and what levels of security standards it has met and implemented.
- Evaluating the service provider’s track record in the industry.
- Inquiring about past security breaches.
- Finding out about the service provider’s insurance policies and whether they cover cybersecurity and identity theft losses.
- Ensuring service provider contracts require ongoing compliance with cybersecurity and information security standards (and being aware of any limiting provisions).
- Specifically, the contract should require a third-party audit to determine compliance, include clear provisions on confidentiality as well as the use and sharing of information, ensure cooperation and prompt notification regarding cybersecurity breaches, specify the service provider’s obligations to meet all applicable laws pertaining to privacy, confidentiality, or security of participants’ personal information, and consider requiring insurance coverage to provide protection from breach-related loss.
- Cybersecurity Program Best Practices – for use by record keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries evaluating what service providers they should hire. These best practices provide that plan service providers should:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
- Online Security Tips – these tips, geared towards participants and beneficiaries to reduce the risk of fraud and loss to retirement accounts, suggest careful registration and monitoring of online accounts, use of strong and unique passwords, keeping personal contact information up-to-date, closure of unused accounts, avoidance of free-wi-fi and caution with respect to phishing attacks, and installation of effective antivirus software. The tips also include identification of the FBI and DHS websites for reporting cybersecurity incidents.
KMK Comment: Cybersecurity has been at the forefront of fiduciary concerns for years, and some of these newly released best practices may seem like common practice. But, the DOL’s guidance is helpful in that it summarizes a wide range of cyber-concerns and action items targeted at specific groups – plan fiduciaries, service providers, and participants – which essentially sets out the DOL’s expectations for retirement plan cybersecurity compliance. As a result, we may see cases like Bartnett v. Abbott Labs, 2021 WL 428820 (N.D. Ill. 2021), in which a federal trial court dismissed participant claims stemming from an unauthorized withdrawal through a website maintained by the plan’s TPA, take a more aggressive stance against plan fiduciaries who cannot demonstrate compliance with these new best practices. Plan fiduciaries should become familiar with these requirements and implement any additional cybersecurity measures as soon as practicable.
(Employer Stock) Should You Drop It Like It's Hot?
What is required to plausibly allege a violation of ERISA’s duty of prudence with employer stock drop claims? What is actually needed to satisfy the “more harm than good” pleading standard to survive an early motion to dismiss? Do ERISA’s fiduciary rules require fiduciaries to act on “insider information”? After almost six years of litigation, we still don’t have clear answers.
A little over a year ago, the Monthly Minute provided a status update on the Second Circuit class action case, Retirement Plans Committee of IBM et al. v. Larry W. Jander. As a refresher, IBM workers had claimed the Retirement Plans Committee breached its fiduciary duty by allowing retirement funds to be invested in artificially-inflated employer stock because the committee members knew, but did not disclose, that IBM's microelectronics division was overvalued. Despite a thorough oral argument, the Supreme Court ultimately remanded the case and plan fiduciaries held out hope that the Second Circuit would resolve the tension between ERISA and securities law with respect to employer stock investment and related disclosures. Unfortunately, the case was remanded, again, to the District Court, and IBM re-appealed to the Supreme Court. Not surprisingly, the Justices declined to hear the case and earlier this month the parties agreed to settle for $4.75 million.
KMK Comment: This result may come as a relief to the litigants, but continues to frustrate plan sponsors for two reasons. First, we are left without clarification as to what plaintiffs specifically need to allege in order to satisfy the “more harm than good standard.” Second, questions as to how courts should address the tension between ERISA’s fiduciary rules and securities law remain unanswered. Plan fiduciaries should continue to monitor employer stock carefully.
DOL Clarifies Mental Health Parity Compliance and the New Comparative Analyses Requirements
Earlier this month, the Departments released new FAQs in response to the Consolidated Appropriations Act’s (the CAA) amendment of the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA). The CAA amended the MHPAEA, in part, by expressly requiring group health plans and health insurance issuers that offer both medical/surgical benefits and mental health or substance use disorder (MH/SUD) benefits and that impose non-quantitative treatment limitations (NQTLs) on MH/SUD benefits to perform and document their comparative analyses of the design and application of NQTLs. Among other things, plans and issuers must also make their comparative analyses available to the Departments or State authorities, upon request. These FAQs include the following clarifications about the new comparative analyses requirements:
- Plans and issuers must make their comparative analyses of the design and application of NQTLs available to the Departments or applicable State authorities upon request, beginning February 10, 2021. Accordingly, plans and issuers should now be prepared to provide their comparative analyses upon request.
- Merely presenting a general statement of compliance, coupled with a conclusory references, will not be sufficient. Comparative analyses must be sufficiently specific, detailed, and reasoned to demonstrate whether the processes or other factors used in developing and applying an NQTL are comparable and applied no more stringently to MH/SUD benefits than to medical/surgical benefits. In this regard, the FAQs note the DOL’s MHPAEA Self-Compliance Tool is closely aligned with the information that plans and issuers must include in their comparative analyses.
- Plans and issuers should be prepared to make available documents that support the analysis and conclusions of their NQTL comparative analyses, including records documenting NQTL processes and detailing how the NQTLs are being applied, documentation, including any guidelines, claims processing policies and procedures, or other standards that the plan or issuer has relied upon, samples of covered and denied MH/SUD and medical/surgical benefit claims, and documents related to MHPAEA compliance with respect to service providers.
- Where the Departments determine that a plan or issuer is not MHPAEA-compliant, the plan or issuer must specify the actions it will take to come into compliance within a 45-day corrective action period. If the Departments make a final determination that the plan or issuer is still not in compliance, within 7 days the plan or issuer must notify all enrolled individuals that the coverage is noncompliant with MHPAEA. The Departments will also share its findings with the State where the group health plan is located or where the issuer is licensed.
- For ERISA plans, the DOL takes the position that plans and issuers must make the comparative analyses and other applicable information available to participants, beneficiaries, and enrollees upon request.
- In the near term, the DOL expects to focus on the following NQTLs in its enforcement efforts:
- Prior authorization requirements for in-network and out-of-network inpatient services;
- Concurrent review for in-network and out-of-network inpatient and outpatient services;
- Standards for provider admission to participate in a network, including reimbursement rates; and
- Out-of-network reimbursement rates (plan methods for determining usual, customary, and reasonable charges).
KMK Comment: The new comparative analyses requirements add an additional layer of administration to MHPAEA compliance. Plans that impose NQTLs on MH/SUD benefits should work closely with insurers and third party administrators to ensure the information included in the comparative analyses will satisfy the Departments’ stringent standards, and be mindful of the DOL’s focused areas of enforcement.
The KMK Law Employee Benefits & Executive Compensation Group is available to assist with these and other issues.
Rachel M. Pappenfus
KMK Employee Benefits and Executive Compensation email updates are intended to bring attention to benefits and executive compensation issues and developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
- Affordable Care Act / Health Care Reform
- Business Restructuring Transactions & Shutdowns
- Data Privacy & Cybersecurity
- Employee Benefit Plans & Compensation Programs
- Employee Benefits & Executive Compensation
- Employee Benefits Administration
- Employee Benefits Regulatory Compliance & Fiduciary Issues
- Executive Compensation Plans & Arrangements