Participant data and plan assets are a tempting target for internet thieves. The Department of Labor says that plan fiduciaries have an obligation to mitigate cybersecurity risks, but they may be unsure how to fulfill their responsibilities or unfamiliar with existing guidance on how to keep data and assets secure. On the flip side, since breaches can and do occur despite best efforts to avoid them, it is important to also have pre-established procedures for dealing with breaches and ransomware attacks. The best way to educate responsible fiduciaries is for them to participate in developing a written policy with specific required procedures. Following these will demonstrate how their fiduciary responsibilities are being fulfilled. Here is a nonexhaustive list of factors to take into account when developing such a policy.
How to Start. You don’t need to do it alone. Few plan fiduciaries have the expertise to handle this without assistance. Corporate security personnel should be involved in the process even if they are not otherwise involved in running the plan. There are also professionals who can be engaged to do a request for proposals (rfp) to find outside cybersecurity experts who can evaluate the systems involved.
All responsible fiduciaries should be familiar with the Department of Labor’s cybersecurity best practice tips and its specific hiring tips for plan fiduciaries. Organizations such as the SPARK Institute and the National Institute of Standards and Technology (NIST) make available guidance on establishing appropriate cybersecurity procedures. The Department of Health and Human Services is also proposing significant changes to strengthen HIPAA’s Security Rule (45 C.F.R. Parts 160 and 164) by mandating specific security controls and requirements for covered group health plans. These will be a useful resource on best practices even if the plans involved are not subject to HIPAA’s mandates.
Factors to Consider.
· Security begins at home. Plan fiduciaries and plan sponsor employees with access to personal data or investment accounts need training to make sure that they don’t respond to phishing attempts or inadvertently install malware on their computers.
· Recordkeeper Employees Need Training and Good Procedures. Several recent lawsuits by participants whose accounts were stolen by hackers resulted from human error. Recordkeeper employees actually assisted the hackers to change contact information and bank account addresses, which enabled them to loot participant accounts. One publicized hacking attempt was foiled by the provider’s insistence on seeing a valid photo ID.
· Insist on multi-factor authentication. This is becoming common because it significantly lowers the risk of hacking. Cybercriminals may be able to guess passwords and user names, but they have difficulty providing further substantiation, such as a one-time code sent by text to a participant’s cell phone.
· Remote workers pose additional risks. Any computers used at home should have appropriate security software installed.
· Protect data at all points. Data can be stolen in transit as well as when at rest and also needs to be backed up in case of ransomware demands.
· Service Provider Audits and Tests. Any service providers with access to data and/or who have authority to direct investments should have regular third party audits of their systems and perform regular penetration tests.
· Subcontractors. Many service providers use subcontractors to perform some of the services they undertake. It is essential that these subcontractors be subject to the same standards that would apply if the service provider were performing the services itself.
· Contract Termination. What happens to plan data if a service contract is terminated? Service providers should not retain data longer than required by law. It should be destroyed or returned to the plan.
· Response to Breaches. Prompt notice of breaches is essential not just to comply with any applicable legal requirements, but to provide protection to participants whose data has been compromised.
· Indemnification Rights. Do the indemnification provisions of your service agreements cover security breaches caused by their employees’ negligence or reckless behavior?
· Insurance Coverage. Do you and your service providers maintain adequate cybersecurity insurance coverage? Since claims can be raised under state law, standard ERISA fiduciary liability insurance may not cover them. Other types of coverage, such as directors’ and officers’ coverage, may have exclusions. ERISA bonding coverage does not cover thefts of assets by criminal hackers. If necessary, have an expert review your current coverage and needs.
· Don’t Forget Welfare Plans. ERISA cybersecurity obligations apply to welfare plans, too. The Department of Labor recently confirmed this. Fiduciaries of group health plans subject to HIPAA should determine whether their compliance with HIPAA’s Privacy and Security Rules is sufficient to satisfy their ERISA obligations.
The bottom line is that fiduciaries may be personally liable for losses caused by their breaches of their fiduciary responsibility to mitigate cybersecurity risks. Although it isn’t specifically required by law, a written cybersecurity policy should be given the same importance as the plan’s investment policy statement, missing participant procedures and QDRO and loan procedures. And given the frequency with which new kinds of threats and attacks occur, the cybersecurity policy will need to be reviewed and updated on a regular basis.