Protect Employees' Benefit Plan Data from Cyberattacks
Malware. Phishing. Denial-of-service. Cross-site scripting. Cybersecurity has developed its own language of threats, with attacks becoming increasingly varied and sophisticated. Ensuring that an organization is resilient to waves of new cyber risks is driving investment in technology, people and processes to protect business health and growth. Here we will share a five-point framework for retirement plan sponsors to consider when developing a cybersecurity program for their benefit plans:
Understand the data
Design the strategy
Assess service providers
Consider legal implications
Review insurance coverage
The 2016 ERISA Advisory Council examined cybersecurity considerations as they relate to pension and benefit plans, and focused on providing information to plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans. But despite ERISA guidance, there isn’t comprehensive legislation protecting plan sponsors and service providers against cyber threats targeting retirement plans, as there is in the health-care arena (e.g., HIPPA). Though large recordkeepers including Charles Schwab, Empower, Fidelity and Wells Fargo have pledged a security guarantee to make victims of retirement fraud whole,1 plan sponsors need to take proactive measures to protect plan data.
1. Understand the Data
Many benefit plan data elements are personally identifiable information (PII) or protected health information (PHI). This personal information, including Social Security numbers, dates of birth and even fingerprints, is extremely valuable to cyber criminals because it’s often permanently associated with an individual and can’t be changed or canceled like a credit card or bank account.
Given the sensitivity of the data, sponsors must understand how the information is being gathered and used to facilitate plan administration. Plan sponsors and their service providers should maintain an inventory of the data collected and share only the data necessary to meet the needs of the plan — and no more. Don’t collect information unless there is a legal requirement or a demonstrable business process in which it is actually used. Once the information is no longer needed, it should be destroyed.
2. Design the Strategy
All plan sponsors and their service providers should consider a cybersecurity risk management strategy specific to retirement programs.
More than a checklist, this cybersecurity risk management approach should be dynamic and adaptive to the plan, plan sponsor and its service providers, as well as the continuously changing landscape. Key considerations include:
Cybersecurity points of intersection: Determine what cybersecurity measures (if any) the organization currently has in place, identify the internal stakeholders and begin to explore knowledge- and cost-sharing to enable greater program efficiency and effectiveness.
Data rules and roles: Building on existing internal cybersecurity best practices (if in place), create functional business and organizational requirements regarding what data is collected, how it is gathered, stored and deleted, and who has access to it. Responsibilities around and ownership of program implementation and monitoring should also be agreed upon and documented at the start. Establishing clear process guidelines and defining internal and external roles at the front end of the program will streamline management and ongoing enhancement.
Third-party risk management: First clarify which entity the data “belong” to and where the liability falls. Understand how service providers share, store and protect data. Determine whether those service providers outsource activities to other vendors. Vet the information security practices of all providers that receive participant data. Finally, create a provider inventory documenting the data they have access to and the security procedures they’ve committed to.
Training: Train staff involved with the plans or with access to plan data. An initial and refresher curriculum (specific to user type and data access) should be administered at the plan sponsor level as well as to appropriate plan service providers.
Testing and updating: Determine the frequency and type of testing procedures conducted. Consulting a cybersecurity expert to determine the best testing approaches should be considered.
Reporting: Testing and updating will yield reporting. Establish guidelines around report monitoring, including reporting frequency, reporting dimensions, report reviewers (potentially to include benefits and investment committees or other named fiduciaries) and escalation processes.
3. Assess Service Providers
Building on the issue identified during strategy development, plan service providers (including recordkeepers, third-party plan administrators and investment managers) could be the source of a data breach. The following questions regarding the protection of data may be helpful when contracting with and evaluating service providers2:
Does the service provider have a comprehensive and understandable cybersecurity program? If so, what is the structure?
How will the plan(s) data be maintained and protected, including encryption approaches and physical asset controls?
Will the service provider assume liability for breaches?What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
Will the service provider agree to external reviews of its controls and regular monitoring and reporting?
What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)? Will subcontractors be subject to the same requirements?
4. Consider Legal Implications
ERISA requires that assets be held for the exclusive purpose of providing benefits to the participants and their beneficiaries and defraying reasonable costs of administering the plan. In practice, this means that the cost of creating and maintaining a cybersecurity program specific to benefit plan data could fall back to the participants, depending on state statutes. In those cases where the plan (meaning participants) funds the cybersecurity effort, sponsors should be mindful of designing a program that benefits the participants exclusively (rather than the employer).
Seeking ERISA counsel may be beneficial in determining the program payees. Additionally, ERISA counsel should offer guidance on whether ERISA pre-empts state law, should questions arise related to the program.
5. Review Insurance Coverage
While potentially duplicative with other fiduciary liability policies, cyber liability insurance covers a broader range of claims and can address employee PII made vulnerable by cyberattacks carried out on third-party service providers. Typical coverage includes breach response costs, regulatory fines and penalties, social engineering fraud, wire transfer fraud and various other types of liability. Beyond response and recovery action, defined as first-party coverage, employers should also be prepared for an additional wave of exposure from participant lawsuits. Third-party coverage is required for the cost of defense and the amount of any settlement or judgment, legal fees, forensic investigation and credit monitoring services.3
Belt-and-Suspenders Strategy Cybersecurity has become a business imperative. But beyond business intelligence, employee information also needs protection, particularly given the nature of the data (both permanent and unique to the employee) and the distance that it travels (from employers to a syndicate of service providers). In time, cybersecurity solutions will become elegant and comprehensive enough to automatically account for the requirements of benefit plan data; but in the meantime, employers must be proactive in embracing additive cybersecurity solutions in tandem with corporate information security efforts. The risk is too great not to.
1 “Empower’s new 401(k) cybersecurity guarantee a sign of the times,” InvestmentNews, June 26, 2018.
2 “Beyond HIPAA: Data Security and the Benefit Plan.” Sarah Bhagwandin, September 2017.
None of State Street Global Advisors or its affiliates (“SSGA”) are acting in a fiduciary capacity in connection with the provision of the information contained herein. SSGA’s role as a fiduciary with respect to the products and services described herein commences once SSGA has been retained to act in a fiduciary capacity pursuant to a written agreement and receipt of a fee. Prior to such time, SSGA is not undertaking to provide impartial investment advice or to give advice in a fiduciary capacity in connection with the sale or distribution of the products or services described herein. SSGA has a financial interest in the sale of our investment products and services.
The information provided does not constitute investment advice and it should not be relied on as such. It should not be considered a solicitation to buy or an offer to sell a security. It does not take into account any investor’s particular investment objectives, strategies, tax status or investment horizon. You should consult your tax and financial advisor.
All material has been obtained from sources believed to be reliable. There is no representation or warranty as to the accuracy of the information and State Street shall have no liability for decisions based on such information.
The whole or any part of this work may not be reproduced, copied or transmitted or any of its contents disclosed to third parties without SSGA’s express written consent.
Before investing, consider the funds' investment objectives, risks, charges and expenses. To obtain a prospectus or summary prospectus which contains this and other information, call 1-800-997-7327, download a prospectus or summary prospectus now, or talk to your financial advisor. Read it carefully before investing.
Distributor: State Street Global Advisors Funds Distributors, LLC, member FINRA, SIPC, an indirect wholly owned subsidiary of State Street Corporation. References to State Street may include State Street Corporation and its affiliates. Certain State Street affiliates provide services and receive fees from the SSGA Funds.
THIS SITE IS INTENDED FOR U.S. INVESTORS ONLY.
No Offer/Local Restrictions
Nothing contained in or on the Site should be construed as a solicitation of an offer to buy or offer, or recommendation, to acquire or dispose of any security, commodity, investment or to engage in any other transaction. SSGA Intermediary Business offers a number of products and services designed specifically for various categories of investors. Not all products will be available to all investors. The information provided on the Site is not intended for distribution to, or use by, any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation.
All persons and entities accessing the Site do so on their own initiative and are responsible for compliance with applicable local laws and regulations. The Site is not directed to any person in any jurisdiction where the publication or availability of the Site is prohibited, by reason of that person's nationality, residence or otherwise. Persons under these restrictions must not access the Site.
Information for Non-U.S. Investors:
The products and services described on this web site are intended to be made available only to persons in the United States, and the information on this web site is only for such persons. Nothing on this web site shall be considered a solicitation to buy or an offer to sell a security to any person in any jurisdiction where such offer, solicitation, purchase or sale would be unlawful under the securities laws of such jurisdiction.