Be Prepared: When a Cybersecurity Issue Occurs, Plan Sponsors Can Spring Into Action

When Michael P. Kreps, a principal with Groom Law Group, helped draft a letter informing participants at two plan sponsors of a subcontractor’s data breach, he did not expect completely different reactions from each group. In the first instance, there was zero participant response after learning that information had been hacked. In the second, more than 300 participants called a toll-free number with questions.

“I can’t find any reason why one would have such a massive response,” Kreps says about the challenges inherent in delivering bad news. “So, we’ve defaulted toward clear, concise communications to people to tell them what happened, how you’re addressing it and flagging risks for them.”

The question of how plan sponsors can most effectively respond to and communicate news of a data leak to their participants has been a central topic for years. But a new Securities and Exchange Commission rule in effect this year outlining how quickly public companies must disclose material cybersecurity events is expanding ongoing discussions about best practices for disclosure and prevention. Plan sponsors, attorneys, consultants and cybersecurity experts are helping hone and assess new approaches and responses intended to inform—without alarming—participants of a potential breach.

Meticulous Planning

For Stacy Hughes, the Atlanta-based chief information security officer at Voya Financial, the time to craft a response to a potential cybersecurity threat is long before any incident occurs. The main thrust of the new SEC rule requiring more rapid disclosure focuses plan sponsors on determining what is considered material for the organization, since the new rules stipulate disclosing such events with new Form 8-K within four business days. In addition, she emphasizes the importance of new disclosures in the company’s annual report that describe plan sponsors’ cybersecurity programs fully. Beyond the new specific requirements, Hughes see plan sponsors’ broader and ongoing responsibilities in preparing responses coalescing around three areas: people, process and technology.

“I would encourage everybody to look at making sure, in a couple of different areas, ‘Do we have staff committed to that function within a plan sponsor?’ and then also making sure you’ve got diverse security experience and background within your organization,” Hughes says. “Looking at it from a people perspective, really having a robust security awareness and employee training program year-round.”

Creating a detailed approach ahead of time and assigning people to monitor and respond to any potential threat is essential to being prepared should a breach occur, Hughes says. To encourage best practices, Hughes advises drafting a RACI, (Responsible, Accountable, Communicated, Informed) matrix that clearly outlines roles and responsibilities for everyone in an organization should its cybersecurity be compromised.

The next step involves testing that plan in a tabletop exercise on an ongoing, regular basis and including all stakeholders, she says. Hughes finds it useful for teams to role-play common risks, including a scenario in which a business email has been compromised or a ransomware attack happens, she says.

“It makes what I like to call ‘muscle memory:’ When you’re in the moment, you know what to do,” Hughes says.

Advanced preparation is also key for Kelly Lazzara, senior compliance counsel in Gallagher’s Financial and Retirement Services Practice, based in Pittsburgh.

“The best practice with respect to anticipating, preventing and then, of course, responding to a cybersecurity incident from a provider is already having a plan in place,” Lazzara says.

Even if a breach occurs externally, Lazzara recommends that plan sponsors create what she calls a SWAT team, or an incident response team, internally that would typically include the chief information security officer, legal counsel and the human resources and retirement teams.

“They can understand what the impact is and what the data is and be part of a response team and hopefully the ongoing monitoring team and compliance portion of this,” she says.

Developing a coordinated response, however, should also build in flexibility, Lazzara says.

“A formal, well-documented security program should be detailed enough to give you direction and allow you to annually review it, but give you flexibility to respond,” Lazzara says. “With cyber crime and cyber thieves getting smarter, the program should be agile.”

Prevention is not always possible, but if regular monitoring identifies a threat or weakness, closing that breach through regular reviews provides an opportunity to identify it in real time or prevent it from happening again, she says.

This kind of proactive approach has been in the works at many plan sponsors for years and provides protection from potential litigation should a breach occur, according to Lazzara. She views the SEC’s new rules as an expansion of the Department of Labor’s guidance.

“It is already happening,” Lazzara says. “People in this space are already two years into the DOL’s best practices, and a lot of people also look to know things as soon as possible … so you can close that breach.”

Partners Should Take Certain Duties on Board

One outcome already occurring at some plan sponsors is a greater focus on building rapid reporting requirements into contracts.

“Plan sponsor and plan fiduciary expectations are changing, and that’s just a natural progression,” Lazzara says. “We want everything as soon as possible, and, given the plan sponsor’s fiduciary obligation with respect to understanding the breach or the incident and responding to it, there’s a lot of pressure for those response and incident-reporting times to come down.”

Kreps, based in Washington, D.C., also sees the need for plan sponsors to consider both SEC rules and DOL guidance, along with requirements that can vary by state.

“It’s a bit of a thicket because, depending on the type of the breach and the type of the data involved and the location, you have to be cognizant of all the state privacy laws as well,” Kreps says.

Accordingly, Kreps sees best practices as a multi-step approach: detecting the breach; understanding what happened; notifying the insurance carrier; tapping expertise, in house or external, to quickly get a sense of who was impacted; and finally notifying participants as quickly as possible.

When a security issue is detected, Kreps encourages plan sponsors to be as clear as possible in disclosing a breach.

“Most normal humans expect this to happen to them: that their information may be stolen,” Kreps says. “We’ve all just kind of accepted it, but what they get really annoyed about, from a PR, client, customer participant relations standpoint, is not being told, not having an idea of what’s happening and not knowing how to get things done to fix it.”

Understanding the scope of a problem can be particularly challenging for plan sponsors when a breach involves a third-party and in instances when a plan sponsor may not find out that it happened until long after the breach occurred. Even in such cases, however, the advice for plan sponsors remains the same.

“When they know, move as quickly as possible,” Kreps says. “And when you are aware of the breach, then try and get those notices out.”

Kreps advises plan sponsors to write rapid notice requirements into their service agreements with a specific timeline for when to inform a plan sponsor of a breach and an outline of who will be taking the lead on communication, as well as approval rights for any communication. While it remains an open question whether data is considered a plan asset, plan sponsors nonetheless need to make sure they fulfill their fiduciary duties, he says. One way to mitigate such risks would be to demonstrate the plan sponsor was prudent in how it selected the provider and considered if the provider had effective security in place, he says.

Do Not be Caught Unaware

Michael Stoyanovich, vice president and senior consultant with Segal’s administration and technology consulting practice and based in San Francisco, also suggests plan sponsors keep a closer watch on vendors, as typically they can be among the greatest cybersecurity risks for organizations to manage.

“Third-party risk is one of the higher risks associated with plan data and information, and it’s cumulative,” he says. “The more vendors you share the greater the risk.”

Stoyanovich urges plan sponsors to consider enhancing their third-party risk management program and practices. For instance, he advises regularly reviewing the data and information sent to any third party, since plan sponsors can reduce risk by limiting what data is shared with vendors. Among other things, he encourages including language in contracts allowing the right to review vendors’ third-party annual cybersecurity assessments or audits and audit notifications. He also recommends reviewing minimum cyber liability insurance and asking about past cybersecurity incidents, along with asking for timely notification of any future incidents, should they occur.

“If a plan is doing everything right and passes data and information over to a third party, then it’s kind of a black box,” Stoyanovich says. “They need to be very attentive to third-party cybersecurity programs themselves.”

When it comes to the new SEC rules, which require public companies to disclose a material breach within four days, outline the nature and impact of the incident and steps taken to address it, along with updates on policies and procedures, he suggests companies look to third-party risk as one of the key drivers of their cyber-security risk.

“The reality is they may not meet your standards,” Stoyanovich says. “You have to understand whatever you’re expecting of yourself, you should expect of your third parties.”