ERISA doesn’t explicitly require retirement plan fiduciaries to address cybersecurity, but they may not be off the hook in the event of a breach. Although a cyberattack in and of itself may not constitute a breach of fiduciary duties, the lack of a plan to avoid or appropriately respond to an attack might, considering fiduciaries’ responsibility to act with prudence.
“Due to the prolific nature of cyberattacks,” a recent white paper pointed out, “it may be difficult to argue that a prudent man would not consider and react to cyber-risks.”
The paper, released in late February by Pillsbury Winthrop Shaw Pittman, a New York City-based law firm that specializes in business and technology law, noted that it’s “virtually impossible” to eliminate entirely the risk of a cyberattack, but it is the responsibility of retirement plan sponsors to manage that risk. The paper urged retirement plan fiduciaries not to leave the responsibility to protect participant assets and information in the hands of their third-party administrators.
Fiduciaries should also consider the privacy laws in the state in which they operate, the paper noted, as “the extent to which ERISA pre-empts state privacy and data laws is currently being actively litigated.”
The paper outlines the responsibilities plan sponsors have regarding cybersecurity and offering best practices for developing an effective strategy.
An effective plan will include thorough due diligence on third-party administrators; contractual protections and insurance in arrangements with TPAs, with regular reviews of those contracts; regular review of the TPAs’ cybersecurity compliance and risks; and if appropriate, utilize protections in the SAFETY Act and purchase specific cybersecurity and privacy insurance.
(The Support Anti-Terrorism by Fostering Effective Technologies Act provides liability protections for the makers of cybersecurity and anti-terrorism technologies.)
Although most of a plan sponsor’s partners are affiliated with financial institutions with strict privacy and security regulations, the authors noted, some, like consultants or actuarial firms, may not be subject to such scrutiny. “As a first step, it is useful to know what regulatory landscape the TPA is subject to and, accordingly, the extent to which the TPA is already complying with a host of privacy and security laws,” the paper noted.
The key is that the plan sponsor take “affirmative measures” to vet a TPA’s cybersecurity protection.
The paper suggested several tools sponsors can use to take those measures. The Cybersecurity Assessment Tool offered by the U.S. Federal Financial Institutions Examination Council gives financial firms five criteria by which to measure their cybersecurity preparedness. They’re not required to take the assessment, but sponsors should ask their partners that are affiliated with financial services firms for the results of any assessment.
Sponsors can also directly request specific information from their TPAs, such as:
- Has the TPA implemented a cybersecurity program? Is there a named officer responsible for overseeing and enforcing the program?
- How is threat information shared with customers?
- How frequently does the TPA review threat risks?
- What controls exist to protect sensitive data? How does the TPA respond to potential threats to that data?
The contract between a retirement plan sponsor and its TPAs should include each party’s commitments, and should spread liability risk evenly.
The TPA should be responsible for maintaining a comprehensive data security program, according to the paper, that are of course in compliance with any relevant industry standards and data privacy laws. That includes how data will be encrypted and how it will be destroyed.
The contract should also put restrictions on how the TPA can access and use plan and participant information, the security of PINs used by plan participants and the sponsor.
Of course, the agreement should also outline what the TPA’s obligations and liabilities are following a security breach, including notifying the sponsor or plan administrator, remediation after the attack and preserving evidence.
Pillsbury Winthrop stressed that it’s essential for plan sponsors to assess their TPAs’ cyber-risk systems throughout the relationship for two reasons. First, “ongoing assessment ensures that the initial legwork does not go to waste,” according to the paper. Second, and perhaps more important considering how quickly technology evolves, “legacy cybersecurity programs are often the most vulnerable to attacks.” Periodic assessments allow a sponsor to determine how well their TPAs are working to stay ahead of cyberthreats.
The paper noted that traditional liability insurance doesn’t necessarily provide full coverage for cyber-related risks. Consequently, sponsors should purchase additional cyber and privacy insurance to fill gaps in coverage. Such coverage can help sponsors with expenses related to crisis management, remediation and notification, business interruption, regulatory defense, and fines and penalties, as well as liabilities associated with network and information security, and communications and media.
Retirement plan sponsors can use the SAFETY Act to their advantage in one of two ways, according to the paper.
Prior to an attack, the sponsor could have its internal cybersecurity policies and procedures SAFETY Act-approved, which could limit the scope of claims that could be made against it in the event of an attack, according to the paper. Alternatively, the sponsor could require its TPAs to hold SAFETY Act protections, “as that would allow retirement plan sponsors and administrators to be dismissed from a broad array of claims alleging negligence or poor performance attributed to the third-party security products and services.”
The paper noted that obtaining protections under the SAFETY Act may constitute evidence that the sponsor’s cybersecurity program was reasonable and sufficiently met the sponsor’s fiduciary obligation.
— Check out Stay on Guard Against Cyberattacks on ThinkAdvisor.