Cybersecurity is a top concern for many U.S. businesses and industries. The retirement plan industry holds over $37 trillion in total participant retirement accounts, yet only 27 percent of plan sponsors have a written cybersecurity policy, according to the 65th annual Survey of Profit Sharing and 401(k) Plans by the Plan Sponsor Council of America (PSCA). Government regulation has driven cybersecurity enhancements in other industries (such as enhanced safeguards for credit cards and online accounts in the banking industry). While the retirement industry currently lacks a comprehensive system of cybersecurity laws and regulations, the Department of Labor (DOL) has turned its attention to cybersecurity for employee benefit plans.
In April 2021, the DOL issued cybersecurity guidance or tips for plan sponsors when hiring a service provider, best protection practices, and online security information for participants and beneficiaries. None of this guidance is required by law, but the DOL is using these tools as a basis to ask for more cybersecurity-related information when it conducts audits plans. Since issuing the guidelines, the DOL has increasingly expressed interest in gathering information about audited plans’ documents for policies, procedures, and guidelines related to cybersecurity. It has also begun requesting specific details from plan sponsors as to how their plan service providers use participant data. According to the PSCA study, 56 percent of plans have a participant data use policy as part of the recordkeeper service agreement. If a plan is audited by the DOL, the plan sponsor should be prepared to answer questions about such policies and provide follow-up information if requested.
The DOL ERISA Advisory Council (the Council) consists of 15 appointees representing interests of employer organizations, employers, specific industry fields, and the general public. The Council’s December 2022 report analyzed how cybersecurity insurance addresses risk in employee benefit plans. The council heard from a number of industry experts representing a wide cross-section of interests – central themes of the testimonies shared were that the issue is complex, not widely understood, and requires further study. For instance, one witness suggested the Council consider whether the Employee Retirement Income Security Act of 1974 (ERISA) requires plan fiduciaries and service providers to guarantee a loss when they took reasonable steps to prevent fraud.
With the increased regulatory focus and greater awareness of cyber vulnerabilities within the retirement plan industry, plan sponsors are looking for ways to meet their fiduciary responsibility in mitigating retirement plan cybersecurity risks. The following are just a few of the currently available ways in which sponsors can address the risks:
For sponsors considering retirement plan cybersecurity insurance, a key question when evaluating potential policies is asking which party would be liable for a cybersecurity breach. Additional considerations include identifying who is the insured party (the sponsor, the plan or both?), who is responsible for purchasing the policy (the sponsor or the plan?), and the full scope of the policy (in other words, what is or is not covered in the event of a cyber breach?).
Another aspect to think about is how much coverage is needed for the policy. According to this year’s IBM Cost of Data Breach Report the average cost of a breach in the United States was $9.48 million. The sponsor should also consider factors unique to its company and the plan, etc.
Through the DOL’s audit investigations, some sponsors are feeling increased pressure to implement a cybersecurity risk management program that has policies and procedures directly addressing the employee benefit plan.
If a sponsor decides to adopt a risk management program, ensuring the policy is the right fit is crucial. A boiler-plate policy is generally not a good approach since it may not fully align with the company’s processes and procedures. Any program put in place around the plan’s cybersecurity should be clearly understood, routinely followed and updated regularly. A program that is put into place, but not followed or updated could become substantiating evidence in the event of plan litigation following a cyber breach.
With the ever-evolving cyber technology, adding an IT professional to the plan administrative committee (those charged with plan governance) informs the committee about emerging trends and advancements in cybersecurity. The IT professional can also help educate on the latest cyber tools and best practices, as well help in the evaluation process to understand the technological aspects of the plan, such as software systems, data security, and infrastructure requirement. This professional can also encourage the committee to provide appropriate time and resources for plan cybersecurity.
Overall, inclusion of an IT proficient employee on the committee charged with oversight and administration of the plan can help ensure the technology-related aspects of the retirement plan are well-managed, secure, and aligned with the company's goals.
The cyber community has fully embraced that it is no longer a question of who is responsible in the event of a cyber breach, but rather that all parties share in the responsibility for cybersecurity. The plan sponsor can play a key role in educating plan participants about their role in building a stronger cybersecurity defense. This education would include emerging trends in cyberhacking and proper risk-mitigation practices, such as two-factor authentication, regular account monitoring and avoidance of phishing attacks. The PSCA study reported 61 percent of plans have cybersecurity awareness campaigns and half have issued email alerts on specific cyber issues.
When determining a comprehensive approach to cybersecurity and assessing the plan’s cyber risk profile, plan sponsors should remember that ERISA’s standard of care stipulates fiduciaries must act in the best interests of participants and beneficiaries. Cybersecurity risks are an ongoing part of current-day plan administration – as such, plan fiduciaries have a responsibility to ask questions and take procedural steps to lessen cybersecurity risk is as much as reasonably possible.
Knowing what the plan’s service providers are doing to prevent cybersecurity attacks, educating participants, and documenting policies and controls are all sound actions to protect both the plan and the sponsor in the event of a cyber-breach.
For larger plan sponsors or those who have experienced a breach, System and Organization Controls (SOC) for cybersecurity reports can provide an independent assessment of the sponsor’s implemented cybersecurity controls. Having these reports allows plan sponsors to better manage their risk, support compliance, promote transparency, and make informed decisions about plan vendor selection and monitoring.
Each plan sponsor is tasked with evaluating their plan’s unique cybersecurity risks and needs.