Are your plan participants protected?

The issue of cybersecurity has been the topic of many headlines. But one important cybersecurity risk that often goes unexplored is protecting the private data of participants in an employee benefit plan. Every retirement plan maintains individuals’ names, dates of birth, Social Security numbers, and bank account information about current and former participating employees.

Employee benefit plan sponsors have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats and that there is a plan in place to respond to a data breach and mitigate any associated damages.

The ERISA Advisory Council shared some considerations concerning cybersecurity with the federal Department of Labor.

Four Areas for Effective Practices and Policies

The Council identified four major areas for effective practices and policies to enhance cybersecurity and protect participant data.

  1. Data management – Protect and control data: Implement strong encryption protocols for sensitive participant information, both in transit and at rest. Regularly audit and monitor access to participant data, and establish strict access controls to limit unauthorized access. Furthermore, create data retention and disposal policies to ensure that outdated or unnecessary data is securely disposed of, reducing the potential impact of a breach.
  2. Technology management – Maintain up-to-date technology: Continuously update and patch all software, operating systems, and network infrastructure to defend against known vulnerabilities. Implement intrusion detection systems and firewalls to monitor and prevent unauthorized access. Regularly conduct penetration testing and vulnerability assessments to identify weaknesses in the system and address them promptly.
  3. Service provider management – Perform due diligence on plan data security of service providers: Before engaging with any third-party service provider, conduct thorough assessments of their cybersecurity practices and protocols. Require service providers to adhere to stringent cybersecurity standards and contractual obligations to protect participant data. Regularly review their security measures and performance to ensure ongoing compliance.
  4. People issues – Properly train and manage personnel: Establish comprehensive training programs to educate employees about cybersecurity best practices, such as recognizing phishing attempts and safeguarding sensitive information. Foster a culture of security awareness within the organization. Additionally, create an incident response plan that outlines roles and responsibilities in the event of a data breach. Regularly test and update this plan to ensure its effectiveness.

By focusing on these four areas of effective practices and policies, employee benefit plan sponsors can significantly reduce the risk of data breaches, protect participant information, and fulfill their fiduciary duty to safeguard plan assets from evolving cyber threats.

Three Considerations to Help Manage Cybersecurity

The Council listed three considerations to help plan sponsors, administrators and fiduciaries manage cybersecurity.

1. Establish a Strategy

Plan sponsors should identify data and assess risks (how is data stored, controlled, accessed, and transmitted).  Plan sponsors will also want to establish processes relating to testing and updating technology, training personnel, and managing third-party risks.  In customizing the strategy, available resources, cost, size, complexity and overall risk exposure must be taken into consideration.

2. Contracting with Service Providers

Plan sponsors should have cybersecurity discussions with the plan’s third-party service providers and review their current policies or procedures relating to data security, including passwords, social media, document retention, internet privacy, etc.

3. Insurance

The Plan sponsor should understand the insurance policies covering the plan.  Does it cover cyber risks?  If not, plan sponsors should consider obtaining cybersecurity insurance along with first-party coverage.

Unfortunately, cybersecurity is a growing concern for all entities, including employee benefit plans.  Plan sponsors and other fiduciaries need to be aware of these risks and put into place defensible policies and procedures to help limit exposure to liability for the plan as well as the fiduciaries.

Content provided by LBMC professional, Jenny Merritt.