Best Practices for Plan Sponsors: The Importance of Internal Controls and Audit and Investigation Readiness

Diane Wasser, partner-in-charge of EisnerAmper’s Pension Services Group, recently sat down with Callan Carter, special counsel at Trucker Huss, APC, a firm of ERISA and employee benefits attorneys, to discuss common retirement plan errors and how to avoid them. See below for some insightful answers.

Diane: 1) In the area of data privacy and security lies great risk for plan sponsors and participants given the personal information maintained by plan service providers.  Have any plans been the victim of a data security breach? 

Callan: Yes, many.  For example:

• In February 2015, using a phishing email, hackers breached Anthem, Inc.’s computer system affecting the personal information of an estimated 80 million customers and employees. Plaintiff lawsuits have been consolidated and are still pending.
• In June 2016, more than 91 deferred-compensation retirement accounts of Chicago municipal employees were breached. The governmental plan, with over $3.5 billion in assets, lost $2.6 million, which was taken from the plan in the form of fraudulent loans from 58 participant accounts. Participants’ personal information was used to set up web profiles that were then used to take out the fraudulent participant loans. The plan sponsor, the City of Chicago, restored the funds to the 58 breached accounts and the plan offered two years of free credit monitoring.
• In July 2016, a cyberattack targeted a grocery workers’ union pension plan in St. Louis. The plan data was taken hostage by ransomware (software that encrypts or locks data on a device or network) and the union received a ransom demand for three bitcoins (worth about $2,000 at that time) to unlock the data. In this case, the data was retrieved from a backup server and the plan did not pay the ransom.  Instead, the union hired a third-party forensic analyst to investigate the breach. The plan relied on its backup server until the breach was eliminated. The investigation revealed that the hacker had gained access to the server one week prior to the attack. The breach potentially exposed 18,000 participants’ information, including names, birth dates, social security numbers, and bank account information. The plan’s trustees offered participants one year of free credit monitoring.

D: 2) Are there certain protective measures plan sponsors can take to protect plan data?

C: I recommend that, at a minimum, retirement plan sponsors follow the privacy and security framework established under HIPAA for group health plans.  The HIPAA Security Rule includes standards that group health plans must address which retirement plans should address ( e.g., utilizing electronic systems to encrypt data, detect and eliminate the source of a breach, recover any lost data, restore the integrity of the system, safely destroy hardware, etc.).  This is a good starting point for retirement plans.   These and other measures are set forth in the November 2016 ERISA Advisory Council Report “Cybersecurity Considerations for Benefit Plans” which focused on outlining cyber risk management strategies for plan sponsors.

Plan fiduciaries should:

• Identify all plan service providers (and their service providers);
• Ensure all service providers’ security measures are up-to-date (failure to do so is arguably a breach of fiduciary duty for failure to act prudently in selecting and monitoring their service providers);
• Review agreements with all service providers to ensure there are contractual provisions mandating the protection of plan data, compliance with federal and state privacy laws and allocations of potential liability;
• Consider purchasing cyber liability insurance for potential breaches.  Plan sponsors should evaluate existing liability insurance and determine whether cybersecurity insurance will address gaps in other coverages – as traditional liability coverages may not cover a cybersecurity breach. Cyber insurance is still evolving within the insurance industry, and plan sponsors should work with their insurance brokers to carefully review their policies to determine the type and scope of coverage, policy and individual incident limits, and other important terms and limitations.
• Update the sponsor’s cyber security policies and procedures to include measures that anticipate what to do when a cyber-attack occurs;
• Train employees on your security policies as well as what a phishing email looks like;
• Keep computer systems updated, including prompt installation of software patches;
• Stay current on electronic threats and effective responses; and • Limit your employees’ use of portable devices

DOL’s Technical Release No. 2011-03 explicitly includes as one of the conditions for utilizing the electronic media disclosure that the plan administrator take “appropriate and necessary measures reasonably calculated to ensure that the electronic delivery system protects the confidentiality of personal information.’’  When your plan experiences a data breach, the fiduciaries need to be able to point to the actions they took to secure that breached data.

D: 3) If a plan sponsor becomes aware of a data breach involving plan data, what should be the first thing they do?

C: The plan sponsor would want to:

• Enlist a third-party forensic analyst to investigate the breach
• Eliminate the source of the breach
• Measure the extent of the damage caused by the breach
• Recover any lost data
• Restore the integrity of the system by having additional safeguards put into place to counter the source of the breach
• Offer free credit monitoring services to participants with breached accounts
• If the plan is subject to HIPAA, report the event to the HIPAA Privacy and Security Official(s)

EisnerAmper and Trucker Huss will be co-hosting a webinar entitled “Common Retirement Plan Errors & How to Avoid Them” on January 23.