Are Plan Fiduciaries Liable for Cyberattacks?
Add to the list of plan fiduciary concerns, cyber-related threats to plan assets and participant personal information.
These days much of that information lies in the hands (or, more accurately, the computers) of recordkeepers and third-party administrators (TPAs), though an analysis
by attorneys at Pillsbury Winthrop Shaw Pittman LLP cautions that, due to the prolific nature of cyberattacks, it may be difficult to argue that a prudent person would not consider and react to cyber risks.
“For this reason,” the paper explains, “retirement plan administrators and other fiduciaries should be cautioned against viewing protection of plan assets and participant information as part of the responsibility of external plan trustees and TPAs and, accordingly, such fiduciaries would be well-served to demonstrate and document the development and implementation of their cyber risk management strategies.”
The analysis acknowledges that, due to the increasing sophistication (and often opaque nature) of cyber threats and attacks, it is virtually impossible to develop and implement a strategy to eliminate cyber risks, and instead recommends a focus on developing and implementing a comprehensive cyber risk management strategy. That requires that the plan sponsor/fiduciary:
- do thorough due diligence regarding its TPAs and vendors;
- implement and periodically review contractual protections and insurance requirements in arrangements with its TPAs;
- periodically monitor the TPAs’ cybersecurity compliance and related risks; and
- consider and, if appropriate, utilize the SAFETY Act and purchase cyber and privacy insurance.
TPA Due Diligence
The paper recommends that retirement plan sponsors take affirmative measures to vet thjeir TPAs’ cybersecurity programs, and that as part of that they should ask TPAs affiliated with a financial institution to share the results of their assessments (if any) as part of a Cybersecurity Assessment Tool issued by the U.S. Federal Financial Institutions Examination Council. Additionally, the attorneys recommend that plan sponsors make a formal request of their TPAs for information regarding their security systems and risks.
The attorneys recommend that plan sponsors or plan administrators should review and, as necessary, amend their agreements with TPAs to ensure that there are appropriate contractual commitments for the protection of data and a fair allocation of liability risk, including the TPA’s commitment to maintain a comprehensive data security program, that there are appropriate restrictions on the location and use of plan and participant data by the TPA, and access to, and utilization of, such data by the TPA’s affiliates, subcontractors and other third parties, and that there are requirements regarding the encryption of data, as well as the secure erasure or destruction of data when removed from storage media.
Additionally, they recommend that responsibility for the security of PINs assigned to both participants to access their accounts and retirement plan sponsors to access employer and plan data be outlined, as well as the TPA’s obligations in the event of a cybersecurity incident, including:
- notification of the plan sponsor and/or administrator and affected participants;
- investigation, control and remediation of the incident; preservation of evidence; and
- provision of information and assistance to the plan sponsor and/or administrator in addressing legal compliance and other issues.
They further recommend that the plan sponsor/fiduciary have the ability to terminate the contractual agreement within a reasonable period as required under ERISA and/or impose damages on the TPA in such circumstances as a breach of security provisions in the agreement or a data breach.
Since traditional commercial general liability and property insurance policies (in addition to ERISA fiduciary riders to such policies) may not provide full coverage for cyber-related risks, the paper says that cyber and privacy insurance should be obtained to cover any potential gaps, including:
- crisis management event expenses;
- security breach remediation and notification expenses;
- business interruption and similar expenses;
- network and information security liability;
- communications and media liability; and
- regulatory defense expenses, including fines and penalties coverage.
Finally, the report notes that retirement plan sponsors and plan administrators should examine whether they can benefit from utilizing the SAFETY Act, a liability management statute managed by the Department of Homeland Security, that limits or eliminates third-party liability tort claims following a terrorist or cyberattack. The report says that retirement plan sponsors and administrators could utilize the SAFETY Act in one of two ways:
1. by having their internal cybersecurity plans and policies SAFETY Act approved, thereby significantly limiting the possible scope of litigation claims they would face after a cyberattack; or
2. by requiring TPAs to hold SAFETY Act protections, as that would allow retirement plan sponsors and administrators to be dismissed from a broad array of claims alleging negligence or poor performance attributed to the third-party security products and services.
Obtaining SAFETY Act protections may serve as evidence that the retirement plan’s cybersecurity programs were reasonable and that the plan’s sponsors or administrators exercised their fiduciary obligations with respect to cybersecurity.
The paper closes by acknowledging that while ERISA does not directly address cybersecurity as it relates to retirement plans, “much consideration is now being given by practitioners as to whether or not the responsibility to address cybersecurity is a fiduciary function.” However, assuming it is a fiduciary function, while the occurrence of a cybersecurity breach does not necessarily give rise to a fiduciary breach under ERISA, the failure to avoid, mitigate or respond to such a breach may create such exposure.