Addressing Retirement Plan Cybersecurity
It’s not really new that cybersecurity is a concern for employers. But it bears repeating — and especially in the context of retirement plans, since plan participants’ personal and financial information is maintained and shared by multiple parties.
Plan sponsors, record keepers and other service providers have access to that data — such as names, addresses, Social Security numbers, compensation levels and other financial information — Poyner Sprills’ Eugene Griggs points out
. Among the risks of that, says Griggs, is that possessing that information “usually is sufficient to steal an employee’s identity.”
Not only that, argues Griggs, a cybersecurity breach also entails detecting the breach, determining how bad it is, recovering data and restoring the integrity of the system — and that can impose significant costs. Add to that the possibility of governmental enforcement, penalties and civil suits.
That enforcement is a little hazy, Griggs indicates, since “there is no comprehensive federal regulatory scheme governing cybersecurity for retirement plans and their service providers.” In addition, he notes. “Whether cybersecurity is an ERISA fiduciary responsibility and whether ERISA preempts state cybersecurity laws remain important unanswered questions.” He points out for good measure that the Department of Labor (DOL) ERISA Advisory Council’s recent recommendations on actions the DOL can take regarding cybersecurity and making workplace retirement accounts more secure highlights the need for additional clarification on the extent of plan sponsor and vendor responsibilities to protect participant information.”
Despite that uncertainty, Griggs argues that the government does dispel the fog to an extent. He notes that DOL Reg. §2520.104b-1(c) and DOL Technical Release No. 2011-03 do impose obligations to ensure that electronic systems protect the confidentiality of personal information. And some states have enacted laws that address cybersecurity breaches.
In addition, Griggs notes that the Advisory Council Report Council “provides extensive information to plan sponsors, fiduciaries and plan service providers on approaches for managing cybersecurity risks.” And he suggests that the report provides a basis for addressing cybersecurity: “While the report’s recommendations do not have the force of law or regulation, in light of the broad scope of an ERISA fiduciary’s obligation to act with prudence and the resources the Council has directed at this issue, this report may represent the foundation for future regulatory or statutory efforts addressing plan sponsor and vendor fiduciary responsibility for cybersecurity matters. In addition, it could cited as a baseline standard-of-care in future tort actions by private plaintiffs.”
But fiduciaries and plan sponsors need not wait for government mandates nor hand-holding, Griggs indicates, suggesting concrete steps they can take to address risks to cybersecurity in three areas:
1. Developing, implementing and maintaining a strategy;
2. Managing the risks of having third parties involved in handing sensitive information; and
3. Evaluating insurance coverage and considering specialized cybersecurity insurance.
Griggs argues that fiduciaries and plan sponsors “should focus on developing a reasonable and proportionate response to the risk of a cybersecurity breach of plan data.” He further concludes that “prudent plan sponsors and fiduciaries should develop a cybersecurity risk management strategy specific to and appropriate for their benefit plans, leveraging where possible existing cybersecurity efforts in the sponsor’s core business.”