At first glance, the United States Department of Labor’s best practices for cybersecurity look relatively simple. Best Practice Number One requires “ a formal, well-documented cybersecurity program.” Putting it into action shows how complex compliance can be. 

Most compliance actions can be placed in two categories: “Controls” and “Governance.” Controls are the pieces of the actual process — the actions taken, hardware, and software purchased to protect your participants and beneficiaries, offices, plans, and fiduciaries. Governance is the oversight of the process — the review, analysis, and documentation of the decisions made, and things done. This article focuses on governance — how to create a dynamic, interactive review process that meets fiduciary standards and is properly recorded. 

Many unions and funds have great controls and decision-making discussions as issues arise but fail to write things down as they happen. A DOL audit could go back six years. With all that fiduciaries do, often for various ERISA entities, it is difficult to remember, in detail, any decisions made that long ago. There are often changes in trustees, staff, and service providers. It is difficult to collectively remember details accurately if the decision makers are no longer present. At minimum, any decision or adjustment to cybersecurity procedures should be presented at committee and trustee meetings and documented in the minutes. The bigger the decision or issue, the more description is necessary. The following describes the basic elements of what to consider and document. 

ERISA Section 404(a)(1)(B) states: 

“a fiduciary shall discharge his duties with respect to a plan…with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims…”

This is commonly known as the Duty of Prudence ... It is a broad, all-encompassing standard that sets the tone for every action and decision a fiduciary makes. For cybersecurity purposes, it means being able to prove to any reviewing entity that the decision maker understood, at the time the decision was made, the following factors: 

Factor and Prudence Considerations

The nature of the entity (union, office, or fund) and purposes for which it exists
Look to the documents that create the entity — collective bargaining agreement, trust agreement, plan documents, policies and procedures, tax-exempt entity filing — what do the written terms require?

The size and complexity of the office or fund involved:

• Are there multiple entities using the same building or internet access? 
• Shared services agreements?
• How many staff members?
• Expertise level of staff members and users?
• What type of information is maintained or exchanged?

Individuals to be protected:

• Participants and beneficiaries
• Staff
• Instructors
• Trustees
• General Public (applicants not chosen to be apprentices e.g., visitors)

Nature and scope of activities engaged in:
Look at each step of the workday, and any special events (committee meetings, membership meetings, public events).

Available resources:

• Member and participant records and communications 
• Interoffice communications
• Marketing
• Social Media
• Communications with contractors and customers

Sensitivity of the information to be protected:
Numerous privacy laws could apply:

• HIPAA, state privacy laws, employment laws (disability, equal opportunity, Social Security Numbers)

All the relevant facts and circumstances:
Pay special attention to any feedback from membership, participants, or staff, and how existing structure addresses or fails to address.

Cost involved:
The solution does not have to be the least or most expensive — it must be justifiable and reasonable at the time the decision is made.

Ability to acquire and access personnel and tools to impleament the decision:
What is available on the current open market? Are new vendors or staff positions necessary? Education of existing staff? Current staff retention issues? 

Overall budget that is reasonable for the purpose:
This is in relation to industry standards and highly specific to the entity and project. What is the range of cost, in general, in your area? What are the plan’s/union’s/entity’s overall reserves? What is the proportion of the cost of this project to the entire cyber security budget? To the entity’s entire budget? 

Governance preparation focuses on standards and expectations set by regulatory entities and trusted industry professionals. Another layer of consideration is the expectations of the membership — the participants and beneficiaries for whom the offices and funds are created. With the increased development and promotion of regulatory best practices and guidelines for cybersecurity comes new lawsuits alleging first, a duty to the member to establish and follow proper guidelines (as required by the best practices) and second, that the duty owed was breached, resulting in injury to the member. Lawsuits are highly fact-specific and specialized to the parties involved and location of the regulated entity. Similar lawsuits in different jurisdictions could have wildly differing results. Though the best practices help to create a standard of care to remove some of the complexity and irregularity, they also give a roadmap for potential litigation. Keeping track of litigation developments will help fiduciaries understand the practical application of their controls, as well as develop governance best practices that elevate the quality and efficiency of their decisions.