Cybersecurity Risk Surrounding Employee Benefit Plans

Employee benefit plans are frequently overlooked when considering cybersecurity risks or potential cyber threats. According to the Employee Benefits Security Administration (“EBSA”), as of 2018, the EBSA estimates that there are approximately 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. This puts a significant number of plan participants and plan assets at risk, and given the nature of the sensitive personal information in an electronic environment and, in most cases, the complete outsourcing of plan operations, cybersecurity should be top of mind for all plan sponsors. 

A key consideration is the number of people and providers that have access to plan information. In addition to the plan participants and plan sponsors, there are a host of others with the ability to access this information, including custodians, trustees, record keepers, payroll providers, sub-service organizations and third-party administrators.

In the case of a defined benefit plan or a health and welfare plan, you also have an actuary and a claims administrator, respectively. Any company or service provider that has access to or stores customer health information or any confidential data are at risk for exposure to this sensitive information. Cyber risk management is the focus of company boards, audit committees and IT governance professionals. There is a heightened concern due to the pronounced shift to paperless systems and a remote work environment. Plan sponsors and plan fiduciaries should take this very seriously as securing sensitive information is a fiduciary responsibility.

On April 14, 2021, the U.S. Department of Labor (“DOL”) issued cybersecurity recommendations for benefit plans that are governed  by the Employee Retirement Income Security Act of 1974 (“ERISA”). These recommendations are included in the following documents: 

• Cybersecurity Program Best Practices – This is geared toward plan fiduciaries and record keepers to help them manage cybersecurity risks.
• Tips for Hiring a Service Provider with Strong Cybersecurity Practices – This is a great tool to assist plan sponsors and fiduciaries in selecting service providers. As required by ERISA, plan administrators have a fiduciary responsibility to prudently select and monitor service providers. This document provides a list of useful questions to ask service providers, along with valuable information that should be considered when reviewing service agreements.
• Online Security Tips – This is information offered to plan participants who check their retirement accounts online. It provides some basic rules to help mitigate fraud risk.

These DOL-provided documents include many topics to assist plan sponsors, plan fiduciaries, record keepers and plan participants with valuable information. You can read these very informative and useful documents here.

It is also important to note that many states throughout the country have enacted laws regarding cybersecurity. Plan sponsors should be aware of them and consult with their attorneys with any questions or issues.