As of 2018, Employee Benefits Security Administration estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. These plans carry sensitive data related to each participant (i.e. social security number, salary information, date of birth, etc.) and as a result, the risk of employee benefit plans being targeted for cyber security attacks has dramatically increased. Without sufficient protections, these participants and assets may be at risk from both internal and external cybersecurity threats.
The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks. Plan Sponsors are encouraged to take preventive steps to protect participant information, which may include the following:
- Implementing a formal, well documented cybersecurity program that identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored information.
- Conducting annual IT cybersecurity risk assessments. Establish criteria to evaluate the confidentiality, integrity, and availability of the information systems and nonpublic information, and document how existing controls address the identified risks. Describe how the cybersecurity program will mitigate or accept the risks identified.
- Having an independent auditor assess the Plan Sponsor’s security controls that will provide a clear, unbiased report of existing risks, vulnerabilities, and weaknesses.
- Ensuring clearly defined and assigned information related to cybersecurity roles and responsibilities at the Plan Sponsor level.
- Implementing and documenting procedures for access to all IT systems and files containing sensitive participant data.
- Select and monitor only third party administrators that follow strong cybersecurity practices themselves.
- Ensuring “cloud” data or any information held by a third party administrator has the proper authorization and authentication policies, for access to this information, in place.
- Reviewing and understanding the user entity controls responsibilities to prevent any compromises in data provided to the third party administrator.
- Conducting a cybersecurity awareness training at least annually for all personnel and provide the risks related to the Plan.
- Document a Business Resiliency Program to address Business Continuity, Disaster Recovery and Incident Responses.
- Ensuring Sensitive Data stored and sent from the Plan Sponsor to the third party administrator is encrypted and stored properly.
- Implementing and executing best security practices for technical security through mechanisms contained in the hardware, software, or firmware components of the system.
- Implementing procedures to ensure there are documented policies on how to respond to cybersecurity incidents and/or breaches. The FBI and the Department of Homeland Security have set up valuable sites for reporting cybersecurity incidents.
As we have seen over the past several years, plan administrators have become easy targets for successful lawsuits, primarily resulting from a breach of fiduciary duties. Ensuring effective cybersecurity controls around plan information is now one of those important fiduciary duties to uphold. To avoid potential liability, plan administrators must always uphold their responsibilities and remember it is the fiduciaries’ primary objective to protect the interest of plan participants.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.