The 2016 ERISA Advisory Council examined cybersecurity considerations as they relate to pension and benefit plans, and focused on providing information to plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans. But despite ERISA guidance, there isn’t comprehensive legislation protecting plan sponsors and service providers against cyber threats targeting retirement plans, as there is in the health-care arena (e.g., HIPPA). Though large recordkeepers including Charles Schwab, Empower, Fidelity and Wells Fargo have pledged a security guarantee to make victims of retirement fraud whole,1 plan sponsors need to take proactive measures to protect plan data.
1. Understand the Data
Many benefit plan data elements are personally identifiable information (PII) or protected health information (PHI). This personal information, including Social Security numbers, dates of birth and even fingerprints, is extremely valuable to cyber criminals because it’s often permanently associated with an individual and can’t be changed or canceled like a credit card or bank account.
Given the sensitivity of the data, sponsors must understand how the information is being gathered and used to facilitate plan administration. Plan sponsors and their service providers should maintain an inventory of the data collected and share only the data necessary to meet the needs of the plan — and no more. Don’t collect information unless there is a legal requirement or a demonstrable business process in which it is actually used. Once the information is no longer needed, it should be destroyed.
2. Design the Strategy
All plan sponsors and their service providers should consider a cybersecurity risk management strategy specific to retirement programs.
More than a checklist, this cybersecurity risk management approach should be dynamic and adaptive to the plan, plan sponsor and its service providers, as well as the continuously changing landscape. Key considerations include:
Cybersecurity points of intersection: Determine what cybersecurity measures (if any) the organization currently has in place, identify the internal stakeholders and begin to explore knowledge- and cost-sharing to enable greater program efficiency and effectiveness.
Data rules and roles: Building on existing internal cybersecurity best practices (if in place), create functional business and organizational requirements regarding what data is collected, how it is gathered, stored and deleted, and who has access to it. Responsibilities around and ownership of program implementation and monitoring should also be agreed upon and documented at the start. Establishing clear process guidelines and defining internal and external roles at the front end of the program will streamline management and ongoing enhancement.
Third-party risk management: First clarify which entity the data “belong” to and where the liability falls. Understand how service providers share, store and protect data. Determine whether those service providers outsource activities to other vendors. Vet the information security practices of all providers that receive participant data. Finally, create a provider inventory documenting the data they have access to and the security procedures they’ve committed to.
Training: Train staff involved with the plans or with access to plan data. An initial and refresher curriculum (specific to user type and data access) should be administered at the plan sponsor level as well as to appropriate plan service providers.
Testing and updating: Determine the frequency and type of testing procedures conducted. Consulting a cybersecurity expert to determine the best testing approaches should be considered.
Reporting: Testing and updating will yield reporting. Establish guidelines around report monitoring, including reporting frequency, reporting dimensions, report reviewers (potentially to include benefits and investment committees or other named fiduciaries) and escalation processes.
3. Assess Service Providers
Building on the issue identified during strategy development, plan service providers (including recordkeepers, third-party plan administrators and investment managers) could be the source of a data breach. The following questions regarding the protection of data may be helpful when contracting with and evaluating service providers2:
Does the service provider have a comprehensive and understandable cybersecurity program? If so, what is the structure?
How will the plan(s) data be maintained and protected, including encryption approaches and physical asset controls?
Will the service provider assume liability for breaches?What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
Will the service provider agree to external reviews of its controls and regular monitoring and reporting?
What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)? Will subcontractors be subject to the same requirements?
4. Consider Legal Implications
ERISA requires that assets be held for the exclusive purpose of providing benefits to the participants and their beneficiaries and defraying reasonable costs of administering the plan. In practice, this means that the cost of creating and maintaining a cybersecurity program specific to benefit plan data could fall back to the participants, depending on state statutes. In those cases where the plan (meaning participants) funds the cybersecurity effort, sponsors should be mindful of designing a program that benefits the participants exclusively (rather than the employer).
Seeking ERISA counsel may be beneficial in determining the program payees. Additionally, ERISA counsel should offer guidance on whether ERISA pre-empts state law, should questions arise related to the program.
5. Review Insurance Coverage
While potentially duplicative with other fiduciary liability policies, cyber liability insurance covers a broader range of claims and can address employee PII made vulnerable by cyberattacks carried out on third-party service providers. Typical coverage includes breach response costs, regulatory fines and penalties, social engineering fraud, wire transfer fraud and various other types of liability. Beyond response and recovery action, defined as first-party coverage, employers should also be prepared for an additional wave of exposure from participant lawsuits. Third-party coverage is required for the cost of defense and the amount of any settlement or judgment, legal fees, forensic investigation and credit monitoring services.3
Belt-and-Suspenders Strategy Cybersecurity has become a business imperative. But beyond business intelligence, employee information also needs protection, particularly given the nature of the data (both permanent and unique to the employee) and the distance that it travels (from employers to a syndicate of service providers). In time, cybersecurity solutions will become elegant and comprehensive enough to automatically account for the requirements of benefit plan data; but in the meantime, employers must be proactive in embracing additive cybersecurity solutions in tandem with corporate information security efforts. The risk is too great not to.