The retirement plan industry holds over $37 trillion in total participant retirement accounts. Yet, the industry as a whole lacks a comprehensive system of cybersecurity laws and regulations to protect those assets. The Department of Labor (DOL) has issued guidance recently to address cybersecurity and how it relates to employee benefit plans. This article will discuss the current state of guidance and the steps plan sponsors can take to mitigate risks.
Department of Labor (DOL) Cybersecurity Focus
The DOL issued cybersecurity guidance in April of 2021 for plan sponsors related to hiring a service provider, best protection practices, and online security information for participants and beneficiaries. While providers are not legally required to follow the guidance, the DOL is using these tools when conducting audits to gather additional cybersecurity-related information. The DOL has shown an increased interest in gathering information about audited plan documents for procedures, guidelines, and policies related to cybersecurity since instituting these guidelines. Plan sponsors have been asked to provide specific details about how their plan service providers use participant data. If your plan is audited by the DOL, plan sponsors should be prepared to provide specific information about their policies regarding participant data and potentially provide follow-up information when requested.
ERISA Advisory Council’s Report on Cybersecurity Insurance
In December 2022, the ERISA Advisory Council released a report analyzing the way cybersecurity insurance addresses risk in employee benefit plans. After hearing from several industry experts, the overall conclusion was that the issue is complex and requires further study to combat misinformation and misunderstanding. Notably, one witness raised the idea that the Employee Retirement Income Act of 1974 already requires service providers and plan fiduciaries to guarantee a loss after they took reasonable steps to prevent fraud.
ERISA Advisory Council’s Report on Cybersecurity Insurace
Effective Plan sponsors are responding to this increased regulatory focus by looking for ways to address their fiduciary responsibilities while mitigating retirement plan cybersecurity risks. Below are several steps plan sponsors can take to address these growing concerns.
1. Cybersecurity Insurance: Sponsors should consider cybersecurity insurance while also evaluating when and how a plan assigns liability for a cybersecurity breach. Plan sponsors must establish who is the insured party, who is responsible for the plan purchase, and what is covered or not covered under the policy when a breach happens. Additionally, it is important to weigh how much coverage is needed for the policy, when the average breach cost can exceed $9 million. Finally, it is important to consider any specific factors related to the company and the plan itself.
2. Cybersecurity Risk Management Program: As a result of the DOL’s audit investigations, sponsors feel increased pressure to implement a cybersecurity risk management program with policies and procedures in place to address the employee benefit plan. If a sponsor decides to adopt a risk management program, it is imperative to ensure the policy is the right fit. A boiler-plate policy is generally not a good approach since it may not fully align with the company’s processes and procedures. As is the case with any program put in place around the plan’s cybersecurity, it is important that it is clearly understood, routinely followed, and updated regularly. A program that is put in place but not followed or updated could become substantiating evidence in the event of plan litigation following a cyber breach.
3. Incorporate IT into the Plan Committee: In order to remain abreast of the emerging trends and advancements in cybersecurity, it is important to consider the addition of an IT professional to the plan administrative committee. This professional will ensure the committee is informed and can also help educate on the latest cyber tools and best practices. Their insight will also be invaluable when evaluating processes to understand the technological aspects of the plan.
4. Shared Responsibility: Recent trends show that it is no longer a question of who is responsible in the event of a cyber breach but rather that all parties share the responsibility for cybersecurity. The plan sponsor should play a key role in educating plan participants about their role in building a more robust cybersecurity defense. This education would provide insight on emerging trends in cyberhacking and proper risk-mitigation practices, such as two-factor authentication, regular account monitoring, and avoidance of phishing attacks.
Pay Attention to the Plan’s Cybersecurity Process
In today’s growing technological world, cybersecurity risks are more prevalent and should be an ongoing part of current-day plan administration. While the threat is ever-present, it is up to each plan sponsor to evaluate their plan’s unique cybersecurity needs. In order to be proactive, it is important to know what the plan’s service providers are doing to prevent cybersecurity attacks, educate participants, and document the policies and controls in place to protect both the plan and the sponsor in the event of a cyber breach.
FOR MORE INFORMATION
Aviance Williams
Davidson, Holland, Whitesell & Co., PLLC
Manager
P 828.322.2070 E aviance@dhw.cpa