A recent announcement by the ERISA Advisory Council that it will be focusing on how cyber-related threats affect TPAs is addressed in a recent legal advisory from Pillsbury Law.
“By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans,” according to Pillsbury’s Jeffrey D. Hutchings, Susan P. Serota and Jessica Lutrin. They suggest that a comprehensive and risk management strategy that includes implementation and periodic review of contractual protections in arrangements with plan TPAs could be an effective step.
Writing for plan sponsors, Hutchings, Serota and Lutrin argue that most contracts with TPAs lack adequate protections for data security. In fact, they point out, there can be more contractual protections for TPAs concerning data security than for other parties.
The authors argue that to better protect data security in dealings with a TPA, a contract can stipulate that a TPA comply with:
- its own cybersecurity policies;
- applicable law; and
- industry standards.
Another step, they suggest, is to state in the contract that a TPA commit to at least annual audits or reviews of their cybersecurity practices by a nationally recognized, independent third party.