Article
Regulatory expectations rarely evolve in isolation. When one sector tightens its approach to risk management, others often follow suit.
Just as financial institutions must validate cybersecurity controls, employers may soon need to verify employee benefit plans’ vendors’ compliance with evolving standards…
Anticipating DOL’s Cybersecurity Evolution
The New York Department of Financial Services (NYDFS) has recently issued guidance clarifying how financial institutions should manage risks associated with third-party service providers under its Cybersecurity Regulation. Its themes—enhanced due diligence, contractual rigor, and ongoing oversight—may foreshadow similar developments in the employee benefit plan world. The U.S. Department of Labor (DOL) has already announced its intention to update its 2021 cybersecurity guidance for plan sponsors. The NYDFS sets a model for the DOL to follow.
Employers who sponsor retirement and healthcare plans should take note: the fiduciary landscape is shifting toward deeper accountability for vendor relationships.
What’s Changing in Service Provider Oversight
The NYDFS guidance doesn’t create new rules but sharpens expectations around existing obligations. Enterprises that engage “Covered Entities” (i.e., any vendor or affiliate that processes or stores nonpublic information) must now demonstrate a more proactive, risk-based approach to managing such vendors. Key elements include:
- Robust Due Diligence: Beyond questionnaires and self-attestations, entities are expected to verify cybersecurity programs through audits, certifications (e.g., ISO 27001, HITRUST), and evidence of controls like MFA, encryption, and incident response planning.
- Contractual Enhancements: Suggested clauses go beyond basics, addressing compliance representations, data location restrictions, AI-specific provisions, and termination triggers for cybersecurity breaches.
- Continuous Monitoring: Vendor oversight is no longer a “set-and-forget” exercise. Covered Entities must periodically reassess risk, review certifications, track incidents, and escalate unresolved issues to senior governance.
- Exit Protocols: Termination requires systematic steps—revoking access, ensuring data destruction, and documenting lessons learned.
Parallels for ERISA Fiduciary Responsibilities
The Employee Retirement Income Security Act (ERISA) imposes a duty of prudence and loyalty on employers managing retirement and healthcare plans. Historically, this has involved selecting reputable service providers and closely monitoring their performance to ensure optimal results. However, as plan operations become more complex—considering recordkeeping, claims administration, and cybersecurity for participant data—the standard for “prudent oversight” is increasing.
Roland|Criss delivers a robust, end-to-end cybersecurity management framework fully aligned with ERISA.
What Employers Should Do Now
The trend is clear: fiduciary responsibility is expanding from “hire and monitor” to “verify, govern, and adapt.” Employers can prepare by:
- Mapping Vendor Risks: Identify critical service providers and assess exposure—especially where participant data or plan assets are involved.
- Strengthening Contracts: Incorporate provisions on compliance, data handling, and termination rights.
- Building Oversight Frameworks: Establish policies for periodic reviews, issue escalation, and integration with incident response plans.
- Staying Ahead of Regulations: Monitor developments from the DOL and other relevant agencies for signals of potential regulatory changes.
Cybersecurity regulation is setting a precedent: outsourcing operations does not outsource responsibility. ERISA fiduciaries should anticipate similar scrutiny as employers subject to the NYDFS and act now to elevate vendor governance.
The cost of waiting? Increased litigation risk, regulatory penalties, and reputational damage.
The opportunity? Positioning your organization as a leader in fiduciary best practices.
A Dynamic Monitoring Solution
Cyber-ProtectRC from Roland|Criss provides 24/7 surveillance of vendors’ data networks, offering fiduciaries of employee benefit plans a dynamic monitoring capability that extends far beyond audits, certifications, and periodic reviews. This continuous oversight helps identify and mitigate risks in real time, aligning with emerging best practices for prudent governance under ERISA.
Curious?
