Retirement Plan Cybersecurity Disclosure to Make Everyone Satisfied

Retirement plan sponsors want to know their service providers are taking steps to protect participant data, but providers are concerned about releasing confidential information.

“There  is  no  comprehensive  federal  regulatory  scheme  governing  cybersecurity  for  retirement plans in the U.S.,” states a white paper issued by the Pension Research Council and The Wharton School, University of Pennsylvania. “Likewise, there is no comprehensive federal scheme that covers their service providers.” 

The paper, authored by Tim Rouse, executive director of The SPARK Institute in Simsbury, Connecticut; David Levine and Allison Itami, principals at Groom Law Group in Washington, D.C.,;and Ben Taylor, senior vice president and defined contribution (DC) consultant in Callan’s Fund Sponsor Consulting group, based in the San Francisco office, notes that the Employee Retirement Income Security Act (ERISA) is silent on data protection in the form of electronic records, and U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function.

However, as more cybersecurity attacks are reported in the media, it is an issue at the top of many minds in the retirement industry. In 2018, the ERISA Advisory Council asked the Department of Labor (DOL) to provide guidance on how plan sponsors should evaluate the cybersecurity risks they face and to require them to be familiar with the various security frameworks used to protect data as well as to build a cybersecurity process. Earlier this year, lawmakers sent a letter to the Government Accountability Office (GAO) asking it to examine cybersecurity in the U.S. retirement system. The letter identifies 10 questions the lawmakers would like the GAO to answer, following its examination.

There are some steps retirement plan providers are taking to relieve retirement plan sponsors about the risk of cybersecurity threats to participant accounts. According to Wendy Carter, vice president and defined contribution director in Segal’s Washington, D.C. office, and a vice-chair of the Data Security Oversight Board for The SPARK Institute, all companies have insurance to make participants whole if their account balances are accessed and taken.

Itami says cybersecurity insurance is an evolving area—a growth opportunity for insurers. Plan sponsors usually first go to their errors and omissions (E&O) insurance provider to ask if they have it, she says, but they may need to find a broker to help find it.

Plan sponsors obviously have a fiduciary duty under ERISA to protect participants’ retirement assets, but is participant data a plan asset? According to the white paper, a conservative approach would be to treat participant data as such and take prudent steps to protect it.

Issues with evaluating cybersecurity processes of providers

Carter says retirement plan sponsors are concerned about how they can ensure that recordkeepers have robust cybersecurity processes to protect all the personal information they hold about participants. However, providers are concerned about providing information about their cybersecurity practices, and that their efforts would be for naught because hackers could get access to the information they reveal.

These concerns are why The SPARK Institute came up with a framework for cybersecurity disclosure by plan providers. It includes 16 identified critical data security control objectives, and requires plan providers to use an independent third-party auditor. Each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.

Those 16 control objectives are:

  • Risk assessment and treatment;
  • Security policy;
  • Organizational security;
  • Asset management;
  • Human resource security;
  • Physical and environmental security;
  • Communications and operations management;
  • Access control;
  • Information systems acquisition development;
  • Incident and communications management;
  • Business resiliency;
  • Compliance;
  • Mobile;
  • Encryption;
  • Supplier risk; and
  • Cloud security.

Itami explains that the framework is trying to reach the goal of providing a format for plan sponsors to look at different providers and compare apples to apples. “A plan sponsor can take the approach of asking the 16 questions, but that is not efficient, and they might run into resistance about giving detailed information that could be used by hackers,” she says.

With the SPARK framework, an outside auditor will write a report analyzing how recordkeepers address the 16 controls. “They will lay out a provider’s process without going into details. For example, the report may say, ‘Provider A uses X encryption,’” Itami says.

She adds that the report shows plan sponsors a provider has something in place and whether it looks rigorous or not. “The vast majority of plan sponsors are not cyber experts, so it’s helpful if an auditor has asked the questions,” she says.

Carter says the auditor’s report will also identify whether any issues have come up with a provider, whether it was a significant risk and whether it has been corrected.

What plan sponsors should ask of providers

Itami says plan sponsors can ask prospective providers whether they have had an independent audit of cyber controls and to see the report. If they don’t have one, the plan sponsor can ask for one.

In addition, according to Carter, plan sponsors should have specific cybersecurity information in their contracts with providers, including information about any insurance provided.

“My plan clients are very concerned about cybersecurity and knowing auditors are looking at this specifically makes clients feel more comfortable,” Carter says.

A note about data retention

A post from Joseph J. Lazzarotti, a principal at law firm Jackson Lewis, says B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, Social Security numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997.

He said ERISA includes specific record retention requirements. “For example, persons who are responsible for filing plan reports must ‘maintain records to provide sufficient detail to verify, explain, clarify and check for accuracy and completeness.’ In addition, ERISA requires employers to maintain sufficient records to determine benefits due to employees. Because employees may not retire for many years after accruing benefits under the pension plan, plans need to maintain records until plan participants retire and the records must be sufficient to determine benefits under the plan,” he wrote.

He cited the 2016 ERISA Advisory Council report of considerations for the DOL, which said plan sponsors and service providers should:

  • Retain only the data that is needed; if certain data elements can be redacted, remove them;
  • Maintain an inventory of records that are retained regardless of format, and where to find them;
  • Outline a clear process for moving records, and track location and inventory during the move; and
  • Delete records that are no longer needed; confirm service providers have done so, as applicable.
“Of course, no set of safeguards for protecting personal information will prevent all kinds of compromises to it. Mistakes happen, so employers and plan administrators should be prepared by developing and maintaining incident response plans and practice them,” Lazzarotti said.