Report Offers Framework for Plan Sponsors to Address Cybersecurity

A 2016 ERISA Advisory Council report includes an appendix titled “Employee Benefit Plans:  Considerations for Navigating Cybersecurity Risks.”

A report suggests materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program in the form of the document included in the appendix of the report titled “Employee Benefit Plans:  Considerations for Navigating Cybersecurity Risks.” 

The 2016 ERISA Advisory Council observed that while cybersecurity is a focus area for organizations with regard to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Retirement plan sponsors and fiduciaries should consider cybersecurity in safeguarding benefit plan data and assets, as well as when making decisions to select or retain a service provider, the Council says.

The Council recommended that the Department of Labor (DOL) make its report and its appendices available via the Department’s website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information about developing and maintaining a robust cyber risk management program for benefit plans. It also recommended the DOL provide information to the employee benefit plan community of plan sponsors, fiduciaries and service providers to educate them about cybersecurity risks and potential approaches for managing these risks. 

In its report, the Council noted that The SPARK Institute is in the process of establishing uniform data management standards for the defined contribution retirement plan market.  This initiative has been driven by the fact that defined contribution providers are getting an increasing number of inquiries from clients and intermediaries regarding cybersecurity arrangements. SPARK has established a Data Security Oversight Board to oversee program development and implementation.

The Obama Administration, the Health Information Trust Alliance and the American Institute of Certified Public Accountants (AICPA) have also put forth initiatives to address cyber security risk.