Skip to main content

You are here

Advertisement

What Retirement Plan Sponsors Can Do About Cybersecurity

Practice Management
An increasing number of retirement plan participants are victims of cyber breaches. And this, argues a recent blog entry, puts more than participants at risk—it also puts plan sponsors at risk of fiduciary liability.
 
Cybersecurity and Retirement Plans: What Plan Sponsors Should Do,” a recent law alert by the Wagner Law Group, observes that this very thing happened this spring, when a plan participant filed a complaint that alleges that plan sponsor Abbott Laboratories and third party administrator and recordkeeper Alright Solutions breached their fiduciary duty under ERISA and broke state law as well when an unauthorized distribution of $245,000 took place. The Department of Labor (DOL) had found that the distribution took place because of cybersecurity failures concerning ERISA plan clients’ accounts.
 
The Bigger Picture
 
The Abbott case—as well as other similar suits—raise a question, says the blog entry: How can plan sponsors minimize fiduciary liability for cybersecurity breaches?
 
The DOL, Wagner notes, has not yet taken a formal position nor issued comprehensive guidance on ERISA fiduciary standards governing the cybersecurity of retirement plan, including what data is considered to be a plan asset. But that may not matter, the blog suggests; it anticipates that even if the DOL provides such guidance, any such analyses would probably be very fact-specific and turn on the data the cyber criminals take.
 
The DOL has issued guidance that offers some direction, the blog notes. In 2002 it issued regulations concerning electronic disclosure of plan information to participants. In that guidance, the DOL instructed plan administrators to take:
 
“appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents …[p]rotects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the [participant]).” 
 
Similarly, the blog notes, the DOL in 2019 issued https://www.asppa-net.org/news/browse-topics/dol-unveils-new-e-delivery-... proposed regulations on electronic disclosure; those proposed regulations require:
 
“the administrator [to] take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.” 
 
However, it adds, this language does not explain how to go about that, nor address what a plan sponsor’s fiduciary obligations are. 
 
There is less ambiguity when actual funds in an individual’s retirement account are stolen, however. In that case, says the blog, ERISA’s fiduciary protections will apply, as will HIPAA responsibilities if the breach involves unauthorized access to protected health information. When funds are stolen, the question is then who will be liable and what fiduciaries need to do to protect themselves from liability.   
 
Action Steps
 
In the absence of “substantive regulatory guidance” and in view of the growing threat of cyber crime inflicted on retirement plans, the blog suggests that plan sponsors might want to take a variety of steps.
 
  • Set, evaluate and test cybersecurity protocols. 
  • Consider following a conservative approach, assuming that ERISA’s duties of loyalty and prudence apply to participants’ identification data and plan benefits. This, the blog argues, could be helpful if the DOL or the courts conclude such information constitutes plan assets under ERISA.
  • Consider the following to help head off cyber breaches:
 
o Ask service providers with whom participant data is shared to provide information regarding their data security processes and data transmittal policies.
o Review and revise service agreements.
o Negotiate to add provisions to service agreements concerning (1) a commitment to maintain cybersecurity insurance, (2) indemnification of the plan for losses, damages, expenses and lawsuits over unauthorized access to participant data, (3) an agreement to implement cybersecurity standards and (4) an agreement regarding notification when a data breach occurs.
o Review and modify the fidelity bond to ensure sufficient coverage.
o Open a cybersecurity insurance policy.
o Open a fiduciary liability insurance policy or review an existing one to determine if it covers fiduciary breach claims related to selection and retention of plan service providers.
o Review sharing of participant data.
o Ensure that requests for proposals incorporate information about data security and data transmittal policies, insurance coverage and other relevant information.
o Consider internal training for all individuals with access to personal identifying information concerning cybersecurity.
 
“There is no one-size-fits-all approach,” notes the blog.