It’s Time to Consider Cybersecurity Risk for Employee Benefit Plans
April 20, 2022
By Kevin Nardone
Efforts to understand and manage cybersecurity risks are gaining momentum in boardrooms across all industries. Most companies have added this topic to their list of current strategic priorities. Headlines remind business leaders of the risks surrounding cybersecurity and the increasingly difficult process of recovering from either a cyberattack or data breach. The benefit plan industry is no different, and regulators in this space are doing their best to chime in. In April 2021, the Department of Labor (“DOL”) through its Employee Benefits Security Administration (“EBSA”) arm released cybersecurity guidance to codify the fiduciary duty plan sponsors have in mitigating cybersecurity risks. The guidance also included minimum expectations for plan sponsors.
Why is a risk assessment related to cybersecurity so important when it comes to employee benefit plans?
Since most of the activity and basic plan operations are outsourced to service providers—including recordkeepers, custodians and third-party administrators—it can be easy to overlook the importance of assessing cybersecurity risks and the potential for cybersecurity breaches impacting employee benefit plans. However, this significant amount of outsourcing elevates cybersecurity risk because of the electronic communications between service providers combined with the sensitivity of the information being shared between parties. Plan sponsors, custodians, recordkeepers, third party administrators, payroll providers and participants all share personal information in the administration of employee benefit plans. All parties have access to names, dates of birth, Social Security numbers, home addresses, compensation and even sensitive information related to beneficiaries. In the case of health and welfare plans, these parties also have access to private medical information. Any company or service provider that has access to or stores this information is at risk for exposure of sensitive information.
What is a plan sponsor’s responsibility when it comes to employee benefit plans?
Plan sponsors have a fiduciary duty to act with prudence when it comes to plan participants, to protect plan data and a duty of loyalty to plan participants. In line with the recent EBSA guidance, a big part of this fiduciary duty is the safeguarding of plan assets. Any failure to do so might result in liability for the breach of fiduciary responsibility. Traditionally, when we hear the term “assets” in relation to employee benefit plans, we immediately think of plan investments. What about participant data? Could this be considered a plan asset?
The Employee Retirement Income Security Act (“ERISA”) of 1974 does not explicitly state if participant data is considered a plan asset. However, under ERISA Regulation §2520.104b(c)(1)(i), any plan sponsor furnishing documents through electronic means must take suitable and necessary precautions to ensure that only those that are the intended recipients of shared information have access to that information. Plan sponsors must ensure that there is no unauthorized access to this information while fulfilling their fiduciary duty. As a result, plan sponsors must ensure that plan data is being protected by all parties involved as part of their fiduciary responsibility.
In overseeing the sharing, retention and use of participant data, it is important to incorporate these steps within your cyber risk assessment process:
- Identify the information collected by service providers.
- Review service provider contracts for a discussion on the use and retention of participant data, any cross-marketing practices and a discussion on each party’s responsibility in the event of a breach.
- Identify any systems used to communicate information to service providers and utilized by service providers requiring consideration of cybersecurity. Confirm the protection of participant information.
- Request cybersecurity policies and procedures from service providers and assess their appropriateness. Inquire on the compliance and/or testing of the effectiveness of these policies and procedures.
- Educate practices with employees on cybersecurity risks, including periodic cybersecurity awareness training.
While the above is not an all-inclusive list for consideration, it is a good starting point to encourage brainstorming and collaboration about cybersecurity vulnerabilities. It is important that legal counsel be included when reviewing service provider contracts. Contracts should include limitations on the use of and access to plan and participant data. This should include access only in providing the agreed-upon services, the proper disposal of data no longer needed, and the use of encryptions and logical access controls. Review contracts for language about protocols for addressing any cybersecurity breaches, including the communication to customers, remediation efforts and related insurance coverage. While it is important to have the necessary preventative procedures in place, it is just as important to have the proper procedures in place to react to any breach when safeguarding plan and participant data.
While the acknowledgment of the importance of cybersecurity, the related risk assessment process and the need to act has been gaining momentum, kickstarting your company’s campaign for enhanced cybersecurity practices can be overwhelming. We recommend that you utilize the DOL’s recent guidance to get started. Additionally, consult with your service providers to see what actions they have taken to address cybersecurity risks; many already have significant processes in place. Finally, if your time and resources do not allow your staff to fully assess the cybersecurity risk over your employee benefit plans, consider utilizing a service provider experienced in performing such risk assessments.