Cybersecurity: Knowledge Is Security

Sometimes what you don’t know is as important as what you know, and a Feb. 5 ASPPA webcast addressed how that principle applies to cybersecurity.

In “Cybersecurity: What You Don’t Know — and Do — Will Hurt You,” Bruce L. Ashton, APM, a Partner at Drinker Biddle & Reath LLP, offered a discussion about cybersecurity and why it matters so much. He opened by remarking of concerns over cybersecurity, “It’s real,” adding “All of us need to be prepared to deal with this growing issue.”

The responsibility to protect plan data falls on three parties, Ashton said: (1) service providers; (2) plan sponsors/fiduciaries; and (3) participants. “Much of the scrutiny regarding cybersecurity will fall on you as service providers,” he remarked. Consequently, Ashton told attendees, they need to be ready to:

• provide data protection;
• respond to client inquiries about what you do; and
• advise your clients on what they need to be doing

This is critically important, Ashton said, because plans and service providers have lots of data, and they have to keep it safe, he said, “because participants can easily lose their benefits.” In addition, he pointed out, cyberattacks are increasingly pervasive and damaging, with compromising business email and account takeovers particularly serious threats. Not only that, Ashton said the cost of a cyber breach can be very high — not only to a business and a plan, but also to participants, since their account balances are at risk.

Service providers, Ashton said, face two main problems: (1) compliance cost and complexity, which are exacerbated by uncoordinated and differing approaches; and (2) potential impact on business activities, which includes potential limits on use of data for everything from financial wellness analysis to cross-selling other services.

And the pressure is even greater on service providers, Ashton suggested, because they are subject to:

• scrutiny by clients and potential clients;
• potential reputation damage;
• potential business disruption; and
• potential expenses to remediate, including litigation, reimbursement, credit monitoring and regulatory penalties.

And that’s not all — laws and regulations are an additional complication. All 50 states have breach notification laws and many have data security requirements, Ashton observed, and firms located in multiple states will have to comply with differing state laws and regulations.

ERISA also sets requirements concerning confidentiality of participant information, and requires incorporating: (1) measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended; and (2) a plan to provide a secure storage environment and a quality assurance program evidenced by regular evaluations of the electronic recordkeeping system, including periodic checks of electronically maintained or retained records.

“There is a real ERISA requirement to protect data,” said Ashton, which means that fiduciaries must:

• protect confidentiality;
• provide security for the information;
• conduct regular monitoring; and
• exercise a duty to prudently select and monitor service providers.

Action Steps

Ashton suggested a variety of steps that can be taken to improve cybersecurity.
One way to improve the situation, Ashton indicated, is education. “You need to train yourself and look for odd emails. You need to train your staff, and plan sponsors need to train their participants,” he said.

Ashton also suggested creating a risk management strategy, which, he added, would also be prudent for purposes of ERISA. In doing so, he said:

• understand the plan’s data;
• determine how information is accessed, stored, shared, controlled, transmitted and secured (for example, encryption);
• take into account the plan’s size, complexity and overall risk exposure; and
• coordinate the plan’s cybersecurity with the plan sponsor’s broader cybersecurity efforts.

Best practices, Ashton suggested, include:

• adopt and follow a layered/multi-front approach;
• segregate network components/locations;
• encrypt all data;
• guard against access by unauthorized persons;
• keep all software patches and updates current;
• ensure anti-virus software is current;
• monitor system perimeters/defenses;
• identify system weak spots/vulnerabilities;
• review activity logs;
• note real-time capabilities;
• consider response strategies;
• plan ahead;
• prepare incident response contingency plans;
• provide regular employee training;
• back up data regularly;
• store data separately; and
• consider cybersecurity insurance.

“This is something you need to pay attention to,” Ashton said, adding that one should “consider adding data security to your value proposition.” He warned, “You have to be conscious of the fact that cyber crooks are doing everything they can” to get into systems, “so you have to take steps to head that off.”