ERISA doesn’t explicitly require retirement plan fiduciaries to address cybersecurity, but they may not be off the hook in the event of a breach. Although a cyberattack in and of itself may not constitute a breach of fiduciary duties, the lack of a plan to avoid or appropriately respond to an attack might, considering fiduciaries’ responsibility to act with prudence.
“Due to the prolific nature of cyberattacks,” a recent white paper pointed out, “it may be difficult to argue that a prudent man would not consider and react to cyber-risks.”
The paper, released in late February by Pillsbury Winthrop Shaw Pittman, a New York City-based law firm that specializes in business and technology law, noted that it’s “virtually impossible” to eliminate entirely the risk of a cyberattack, but it is the responsibility of retirement plan sponsors to manage that risk. The paper urged retirement plan fiduciaries not to leave the responsibility to protect participant assets and information in the hands of their third-party administrators.
Fiduciaries should also consider the privacy laws in the state in which they operate, the paper noted, as “the extent to which ERISA pre-empts state privacy and data laws is currently being actively litigated.”
The paper outlines the responsibilities plan sponsors have regarding cybersecurity and offering best practices for developing an effective strategy.
An effective plan will include thorough due diligence on third-party administrators; contractual protections and insurance in arrangements with TPAs, with regular reviews of those contracts; regular review of the TPAs’ cybersecurity compliance and risks; and if appropriate, utilize protections in the SAFETY Act and purchase specific cybersecurity and privacy insurance.
(The Support Anti-Terrorism by Fostering Effective Technologies Act provides liability protections for the makers of cybersecurity and anti-terrorism technologies.)
Although most of a plan sponsor’s partners are affiliated with financial institutions with strict privacy and security regulations, the authors noted, some, like consultants or actuarial firms, may not be subject to such scrutiny. “As a first step, it is useful to know what regulatory landscape the TPA is subject to and, accordingly, the extent to which the TPA is already complying with a host of privacy and security laws,” the paper noted.
The key is that the plan sponsor take “affirmative measures” to vet a TPA’s cybersecurity protection.
The paper suggested several tools sponsors can use to take those measures. The Cybersecurity Assessment Tool offered by the U.S. Federal Financial Institutions Examination Council gives financial firms five criteria by which to measure their cybersecurity preparedness. They’re not required to take the assessment, but sponsors should ask their partners that are affiliated with financial services firms for the results of any assessment.
Sponsors can also directly request specific information from their TPAs, such as:
- Has the TPA implemented a cybersecurity program? Is there a named officer responsible for overseeing and enforcing the program?
- How is threat information shared with customers?
- How frequently does the TPA review threat risks?
- What controls exist to protect sensitive data? How does the TPA respond to potential threats to that data?
The contract between a retirement plan sponsor and its TPAs should include each party’s commitments, and should spread liability risk evenly.