Sponsors Should Have a Plan in the Event of a Cyberattack

It could be helpful to hire a third-party specialist to do a risk assessment of the handling of participant data.

While the Department of Labor (DOL) hasn’t issued formal guidance on the responsibilities of retirement plan sponsors to protect against cybersecurity threats, there are commonsensical protections plan sponsors can put in place nonetheless, according to Employee Retirement Income Security Act (ERISA) attorneys.

Sponsors need to be actively thinking about cybersecurity protections and have a plan of action in the event of a breach, Ed Redder, a partner in the employee benefits and executive compensation group at Thompson Hine, tells PLANSPONSOR.

“If a plan fiduciary only starts thinking about this once a breach occurs, they will be behind the eight ball,” Redder says. The first thing sponsors need to do to protect their plan participants’ data is examine their vendors’ contracts and internal processes in the event of a breach, he adds. “Sponsors must build out agreements with their providers to delineate the responsibilities between the parties should a data breach occur.”

Layna Rush, a shareholder with Baker Donelson and head of the firm’s data incident response team, also says any party that could be impacted by a cybersecurity breach must have an incident response plan.

“If the sponsor’s vendors are handling personal information or protected information, then the sponsor must ask them how they would handle a breach and walk through a tabletop exercise to determine how their vendors would react,” she says. “They need to give prior consideration to their contracts with their vendors to ensure that they are adequately prepared.”

Rush also recommends plan sponsors have a third-party specialist do a risk assessment and identify their biggest risk. “You can’t always do everything at once to address risk. Instead, come up with a mitigation plan to address those risks in order of importance and then set a schedule to go through them all,” she says.

Should a breach actually occur, the plan sponsor “needs to find out which participants were impacted, which data elements were compromised, when the breach occurred and what steps have or will be taken to mitigate the impact of the breach,” Redder says.

After that, the plan sponsor must determine if the government, media or participants need to be notified under the governing laws and coordinate with the vendors to ensure that duplicate notifications are not issued, as any repetition could be confusing and potentially irritating to participants and result in mixed messages, Redder says. Each state has different laws on cybersecurity breach and/or privacy breach notifications, so a company operating in several states needs to be on top of this, which an ERISA attorney can assist with, Redder says.

Many vendor contracts include indemnification clauses that may apply in the event of a breach, Redder says.

“I have also seen many large recordkeepers include ‘theft guarantees’ for participants so that if the participant follows certain protocols the recordkeeper spells out for protecting their account, and the account is hacked anyway, the recordkeeper will make their account whole,” Redder says.

The sponsor should determine if any of the company’s insurance policies cover cybersecurity breaches, and, if so, the next step is notifying these insurers that a breach has occurred, Redder says. “The benefit of doing that is many insurers can provide helpful resources to resolve a breach and help protect the sponsor’s rights as well,” he says.

A plan sponsor must act quickly in the event of a breach, says Adam Levin, founder of Cyberscout. “Getting your response right may keep a really bad situation from becoming an ‘extinction-level event.’”

Once all of this has been solved, Levin says the sponsor should ask the vendor in question what steps will be taken to mitigate the breach and what will be done to stop it from happening again.

The bottom line, Rush says, is that “sponsors need to give cybersecurity protection a lot of forethought to ensure their vendors adequately protect their participants’ data with strict security measures. Sponsors must do their due diligence on the front end to look at their vendors’ policies.”

Levin adds: “The best practices for sound cybersecurity protections are more or less universal across industries and organizations. Sponsors need to invest in cybersecurity protections and nurture a culture of privacy and security—from the mailroom to the boardroom. They need to hire qualified IT [information technology] staff, use the most up-to-date security software, train employees to recognize the telltale signs of phishing and other suspicious behavior, have a robust cyber-incident insurance policy in place and use secure methods to transmit sensitive information and data. Finally, they need to vet and continuously monitor their vendors.”