Is Cybersecurity an ERISA Fiduciary Responsibility?
Plan sponsors and service providers already take seriously their responsibilities to protect participant data, but where are the lines of responsibilities and accountability in the event of a breach?
That was the focus of a workshop at the Plan Sponsor Council of America’s 2019 National Conference in Tampa, FL. The panel – Amy Gordon and Joe Adams, both partners at Winston & Strawn, and Wendy Carter, Vice President and Defined Contribution Director at The Segal Company – acknowledged that:
- there is no comprehensive federal regulatory scheme governing cybersecurity for retirement plans in the United States;
- ERISA is silent on data protection in the form of electronic records; and
- U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function.
Moreover, many service providers that serve the retirement market are covered by federal rules based on their industry, although plan service providers often cross several different industries, making standard compliance rules difficult.
ERISA Advisory Council Counsel
Adams noted that while there was no overarching guidance, in 2016 the ERISA Advisory Council outlined some basic prudent steps that ERISA plan fiduciaries should take to address these issues, and created its “Cybersecurity Considerations for Benefit Plans” resource.
While currently there is no consensus within the industry regarding which cybersecurity framework constitutes a ‘best practice’ approach, there is a not a “one-size-fits-all” approach. Moreover, while prevention of a cybersecurity threat is impossible, there are steps that can be taken to limit the threat, including:
- Determining what is reasonable from a commercial perspective and an ERISA perspective for each plan.
- Acknowledging that the cybersecurity risk management strategy cannot be a static checklist.
- The program should include regular reporting, frequent reviews and process updates that are specifically tailored to the plans’ needs.
Plan Sponsor Protocols
The panel noted that a diligent plan fiduciary will take steps to prevent a cyber breach, and offered the following suggestions for plan sponsors:
- Inventory the plan’s data, and consider using, sharing and maintaining only the minimum amount of data necessary. This applies to the plan sponsor’s data, as well as that used, shared and maintained by service providers.
- Devise a framework upon which to base a cybersecurity risk management strategy (e.g., the NIST framework or the SAFETY Act as models or possible starting points).
- Establish a process that includes implementation, monitoring, testing and updating, reporting, training, controlling access, data retention and/or destruction, and third-party risk management.
Ultimately, it was suggested that you need to balance the scope and cost of a strategy to manage cyber-risk against the size and sophistication of the plans and the plan sponsor, and decide what if any portion of the cyber-risk management costs should be borne by the plan, versus the plan sponsor, including insurance. Finally, of course, you’ll want to ensure that any program also addresses any applicable state specific cyber-risk requirements.
Service Provider Provisions
Additionally, the panel identified steps that could/should be taken with regard to service providers employed by the plan:
- Review applicable contract provisions with service providers, and require vendors to attest that the service provider or vendor has proper procedures in place to protect the plan’s data.
- Monitor the cyber protocols and practices of these providers on an ongoing basis to ensure they are sufficiently robust.
- Consider whether SAFETY Act certifications could fit into their overall cybersecurity risk management strategy.
- Consider retaining vendors that have or use SAFETY Act approved processes or procedures.
Also mentioned during the discussion was the work of the SPARK Institute in outlining best practices for recordkeepers.
The panel also suggested that plan sponsors should evaluate their insurance coverage/bonding policies to ensure they are covered in the case of a cybersecurity attack, and may want to look into purchasing an insurance policy or bond to protect against potential loss to the plan and plan participants.
It was noted that discussions with insurance brokers have revealed that a few different coverages (e.g., a cyber policy, a crime policy, errors and omissions insurance, and fiduciary insurance) may all need to be bundled to provide a comprehensive solution. It was noted that it was important to address cyber breaches that may occur at different plan interfaces (e.g., at the trustee, the administrator or participants). Additionally, a negative factor with respect to insurance coverage is that where the actual cyber breach occurs may dictate whether the insurer will pay the claim, and that unless the cyber breach occurs at the plan sponsor’s interface, the claim may be refuted.
- Ultimately, it was noted that it is critical to get counseling on the appropriate cyber insurance plan to cover the specific needs of the plan.