Cybersecurity and Public-Sector DC Plans
The responses in the private sector to the risks that cybercrime poses to retirement plans, service providers and participants are as varied as its myriad components. But while one may expect that there would be a more uniform response from the public sector to protect its plans and participants, a recent report suggests that is not the case.
In “Cybersecurity: Are Public Defined Contribution Plans at Risk?” the National Association of Government Defined Contribution Administrators (NAGDCA) argues that public-sector plans face challenges that their private-sector counterparts do not regarding addressing and heading off cyberthreats.
Internal problems are part of the reason, NAGDCA says, such as antiquated information technology systems, including payroll and human resource administration systems, and heavy reliance on third-party data recordkeeping systems. Another explanation, the report argues, is that there is no uniform federal regulation on cybersecurity for retirement plans and their service providers.
And cybercrime perpetrated on a public-sector plan can be costly. Says the report, “Regardless of the investment made in protecting systems and data transmissions, plans remain vulnerable to human error and malicious or criminal actions. The latter are a particular cause for concern because of their prevalence and the fact that they are the most expensive to handle.”
And cybercrime can cost not only the participants whose data and accounts can be compromised — it can also cost the public itself. This is not only because addressing such violations entails costs; ironically, it also is due to privacy laws state governments have enacted to prevent cybercrime. Says the report, “With the vast majority of states now having privacy laws that apply to sensitive PII, a government defined contribution plan could face significant remediation-related expenses should a breach occur. On average, direct costs amount to approximately $6 per breached record.”
What to Do?
There may not be a comprehensive federal approach nor code of law or regulation to prevent and address cybercrime, but the Department of Labor (DOL) has not been idle, the NAGDCA points out. For instance, it notes, the DOL has attempted to require private-sector DC plan sponsors to protect the confidentiality of an employee’s personal information. The NAGDCA suggests that while public-sector DC plans are not subject to ERISA and are not required to comply with DOL cybersecurity rules, those rules nonetheless can serve as best practices the plans and their sponsors can follow.
In addition, the ERISA Advisory Council has made recommendations to the DOL regarding further steps plans, including public plans, can take.
Among them, establish a strategy:
- Identify the data (how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
- Consider frameworks and industry-based initiatives.
- Establish process considerations (protocols and policies covering testing, updating, reporting, training, data retention, third-party risks, etc.).
- Customize a strategy, for instance, concerning resources, integration, cost, cyber-insurance, etc.).
- Strike the right balance based on size, complexity and overall risk exposure.
- Consider applicable state and federal laws.
When contracting with service providers:
- define security obligations;
- identify reporting and monitoring responsibilities;
- conduct periodic risk assessments;
- establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared;
- consider whether the service provider has a cybersecurity program, how data is encrypted, liability for breaches, etc.
The report also points out that the Federal Trade Commission and the Securities and Exchange Commission have set “detailed” rules concerning the structure and operation of the required written policies, and that those rules apply to the financial institutions holding plan assets, investment advisors and other vendors who handle those assets. The NAGDCA suggests that plans — including public-sector plans — ask vendors about their privacy and security policies, as well as how they comply with the applicable laws.
And there are tools by which it is possible to monitor a vendor’s compliance with applicable privacy and security standards, it adds.
The NAGDCA further suggests that public-sector DC plans consider insurance to cover liability associated with a data breach.