In recent months, the issue of cybersecurity has been the topic of many headlines. But one important cybersecurity risk that often goes unexplored is protecting the private data of participants in an employee benefit plan. Every retirement plan maintains individuals’ names, dates of birth, Social Security numbers, and bank account information about current and former participating employees. Employee benefit plan sponsors have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats and, that there is a plan in place to respond to a data breach and mitigate any associated damages.
On November 10, 2016, the ERISA Advisory Council shared some considerations concerning cybersecurity with the federal Department of Labor.
The Council identified four major areas for effective practices and policies.
- Data management - Protect and control data.
- Technology management – Maintain up to date technology.
- Service provider management – Perform due diligence on plan data security of service providers.
- People issues – Properly train and manage personnel.
The Council listed three considerations to help plan sponsors, administrators and fiduciaries manage cybersecurity.
Establish a Strategy
Plan sponsors should identify data and assess risks (how is data stored, controlled, accessed, and transmitted). Plan sponsors will also want to establish processes relating to testing and updating technology, training personnel, and how to manage third party risks. In customizing the strategy, available resources, cost, size, complexity and overall risk exposure must be taken into consideration.
Contracting with Service Providers
Plan sponsors should have cybersecurity discussions with the plan’s third-party service providers and review their current policies or procedures relating to data security, including passwords, social media, document retention, internet privacy, etc.
Plan sponsor should understand the insurance policies covering the plan. Does it cover cyber risks? If not, plan sponsors should consider obtaining cyber insurance along with first party coverage.
Unfortunately, cybersecurity is a growing concern for all entities, including employee benefit plans. Plan sponsors and other fiduciaries need to be aware of these risks and put into place defensible policies and procedures to help limit exposure to liability for the plan as well as the fiduciaries.