“With so many examples of data hacking in the news, I’m curious about what cybersecurity standards apply for qualified retirement plans?”
ERISA consultants at the Retirement Learning Center Resource Desk regularly receive calls from financial advisors on a broad array of technical topics related to IRAs and qualified retirement plans. We bring Case of the Week to you to highlight the most relevant topics affecting your business.
Highlights of Discussion
- Great question! There is an understanding under Department of Labor (DOL) Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential. However, presently, there is no comprehensive federal regulatory regime covering cybersecurity for retirement plans.
- Each state has different laws governing cybersecurity concerns that may come into play. Unfortunately, many retirement plans cover multiple states or retirees who have moved out of state.
- At the end of 2016, the ERISA Advisory Council issued a report entitled, Cybersecurity Considerations for Benefit Plans [1]. “The Report” puts forth considerations for the industry for navigating cybersecurity risks. The considerations relate to the following three key areas. Please refer to the report for more details.
1. Establish a strategy
- Identify the data (e.g., how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
- Consider following existing security frameworks available through organizations such as the Nation Institute of Standards and Technology (NIST), Health Information Trust Alliance (HITRUST), the SAFETY Act, and industry-based initiatives.
- Establish process considerations (e.g., protocols and policies covering testing, updating, reporting, training, data retention, third party risks, etc.).
- Customize a strategy taking into account resources, integration, cost, cyber insurance, etc.
- Strike the right balance based on size, complexity and overall risk exposure.
- Consider applicable state and federal laws.
2. Contracts with service providers
- Define security obligations.
- Identify reporting and monitoring responsibilities.
- Conduct periodic risk assessments.
- Establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared.
- Consider whether the service provider has a cyber security program, how data is encrypted, liability for breaches, etc.
3. Insurance
- Understand overall insurance programs covering plans and service providers.
- Evaluate whether cyber insurance has a role in a cyber risk management strategy.
- Consider the need for first party coverage.
- The ERISA Advisory Council has suggested that the DOL raise awareness about cybersecurity risks and provide information for developing a cybersecurity strategy specifically focused on benefit plans.
- The Report concludes with an appendix entitled, Employee Benefit Plans: Considerations for Managing Cybersecurity Risks (A Resource for Plan Sponsors and Service Providers). At this time, no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level. The ERISA Advisory Council has provided suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.
Conclusion
At this time, no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level. The ERISA Advisory Council has provided suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.