The COVID-19 pandemic’s acceleration of remote working brought with it a renewed awareness of cybersecurity-related issues, as people established offices and networks outside the “protection” of an in-office environment. Scammers and cybercriminals also used fears of the coronavirus to their advantage. The Financial Industry Regulatory Authority noted the increased risks in an information notice from March 2020, “Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19).”
In addition, the U.S. Department of Labor’s 2021 guidance on cybersecurity put a spotlight on the topic and prompted renewed industry discourse about its importance. At the heart of the matter for plan sponsors is: Who has access to your participant data, and how are you protecting that data?
When it comes to a data breach, it’s not a matter of if, but when. As one example, the Defined Contribution Institutional Investment Association’s Retirement Research Center did a short survey in October of 69 employers and found that 13% said, “Yes,” they had experienced a data breach with their service provider/employee data. The topic will be one of ongoing importance in today’s rapidly evolving tech and litigation environment.
DOL Cybersecurity Guidance
The DOL’s 2021 guidance on cybersecurity is not binding, but it is likely to come up in any cybersecurity discussion. As described by the DOL, the guidance comes in three forms:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as the Employee Retirement Income Security Act requires;
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks; and
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
Plan fiduciaries should document their process in considering the guidance and why the guidance was or was not followed. They should discuss who is responsible if there is a “blameless breach” and ensure all parties are aware. They should clarify the roles of the service provider, the participant, the consultant/adviser, law firm and other stakeholders and document those roles.
‘During vendor negotiations, it is useful to fully understand the vendor’s history and protocols. Ask if (or when) the vendor has paid out cybersecurity claims. Clearly define “data breach” and notification standards on your plan’s behalf. What are the remediation steps? What remedies are provided to participants? Also, ask about the role and oversight of subcontractors. Finally, it may be worth exploring specialized insurance coverage for cybersecurity liability. Applicants for this coverage will need to demonstrate awareness and implementation of cybersecurity best practices. Unfortunately, coverage may be difficult to obtain and/or expensive, given increasing volumes of cyber-attacks.
The DOL notes that the department’s guidance “complements [the Employee Benefits Security Administration]’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”
Additional Plan Sponsor and Service Provider Resources
In an article on retirement plan cybersecurity, insurance brokerage and consulting firm Arthur J. Gallagher & Co. notes, “For HR leaders, making prevention the first imperative requires working with corporate IT to put safeguards in place. They should have clear sight into how data is collected, held and classified, who has access, and which laws apply. Investing in enterprise-wide technology is critical to recognizing cyberattacks and stopping them when they occur. … Phishing and other social engineering techniques have become very sophisticated and can easily fool unwary team members into divulging information that give thieves access to sensitive data. One of the best protections is thorough training for both HR staff and employees.”
The article also provides a detailed list of important cybersecurity-related best practices for plan sponsors to consider.
An article by the Groom Law Group notes the importance of informing plan participants about their role in protecting their own data, stating that “One great way for an ERISA fiduciary to educate participants about online security is to distribute the DOL’s Online Security Tips directly to participants. These tips teach participants how to reduce the risk of fraud and loss to retirement accounts. Some plan sponsors have already put these tips on their websites and have sent them to participants by mail. Others are even including them in summary plan descriptions (SPDs).”
The industry is already keenly aware of and responding to cybersecurity challenges. Research from Cerulli Associates revealed that recordkeepers are increasing their cybersecurity staff as it becomes a growing area of general interest, as well as plan sponsor scrutiny. The nonprofit Society of Professional Asset Managers and Recordkeepers has a robust array of cybersecurity and fraud resources on its website; in particular, plan sponsors may want to consult the Plan Sponsor and Advisor Guide to Cybersecurity.
The guide cites security breaches typically being some form of attack on or intrusion into a network, a lost unsecured laptop and/or data file loss (recordkeeper to third party). It also describes forms of cyber fraud like phishing; malware and account takeover; theft; or impersonation. SPARK recommends that service providers utilize 17 “control objectives” that are listed and described in the guide when reporting on their overall data security capabilities.
At a broader level, the Cybersecurity and Infrastructure Security Agency leads the U.S. effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure. Of particular note, it offers resources for small and midsized businesses—these organizations may have special considerations, given potentially more limited resources to manage cyber risks than larger companies.
There are many resources available to plan sponsors to facilitate discussions about cybersecurity and awareness of best practices, as well as helping to inform and educate plan participants about the key role they play in protecting their information and retirement savings. Plan sponsors may want to consider creating a rolling calendar via which important topics like cybersecurity and participant data are regularly brought up for internal discussion among key stakeholders including HR, finance, legal, IT and communications.
Pam Hess is the vice president of research at the DCIIA Retirement Research Center.