Cybersecurity has become a major concern for Plan Sponsors. It seems like every day we hear stories of information being stolen or breached in various industries, which has led to a series of quite logical questions for employers, such as: “How do we protect plan information?”, and “What do we do if information is breached?” There is no perfect answer to either question, but the retirement plan industry has seemed to come to consensus around a few considerations which may make this complex issue easier to navigate.
First, you should consider working with your service providers to make sure they are employing the latest cybersecurity measures. While there is some question as to whether monitoring for cybersecurity in general is a fiduciary obligation of a Plan Sponsor, there is no question that the duty to monitor your service provider is a core fiduciary responsibility. As such, it pays to incorporate a cybersecurity strategy into your contract with those service providers that have access to Personally Identifiable Information (PII).
Questions to Ask
In a November 2016 report to the Secretary of Labor, an industry advisory council came up with 14 questions regarding the protection of data that may be helpful when contracting with and evaluating service providers who deal with PII. The questions involve describing, monitoring, and reporting on cybersecurity capabilities. They also refer to insurance coverage and the need for back-ups and training to ensure that data can be replicated. This list of questions is currently considered the benchmark for cybersecurity within the retirement plan industry and should be reviewed with your vendors:
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will the plan(s) data be maintained and protected?
- Will the data be encrypted at rest, in transit and on devices, and is the encryption automated (rather than manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate to permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring and what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (such as SOC reports or a similar report or certification)?
- What is the level and type of insurance coverage that is available?
- What is the level of financial and fraud coverage that protects participants from financial damage?
- If the service provider subcontracts to others, will the service provider insist on protections (as noted above) in its agreement with the subcontractor?
- What controls does the service provider have in place over physical assets that store sensitive data, including when such assets are retired or replaced (servers, hard drives, mobile devices, etc.)?
- What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)?
Actions to Take
Even after following all the steps listed above, the worst can still occur. So what actions should a Plan Sponsor take? You should know ahead of time what your service provider’s policies are and the steps you (and potentially your participants) need to take. Every service provider will generally make a blanket statement that they “will make participants whole if a breach occurs.” However, we have found that certain providers may be more rigid about what constitutes a breach than others. For instance, if participants have not changed passwords, have given passwords to others, and don’t look at their quarterly statements; a service provider may be less likely to acknowledge this was an error that they need to correct. You should know and understand your vendor’ indemnification policies and they should be part of your ongoing review process.
Most service providers with PII have systems that can use Multi-Factor Authentication (where after you first login you get a text or e-mail with a code that needs to be entered before you can transact). This can help reduce the frequency of issues. They can also use bio-metric checks (such as thumbprint scans), require secure passwords, and perform many other types of safety checks before allowing participants to transact. Many service providers are also aware of a transaction’s origination and can flag if a transaction originates from outside the US. Your vendor should maintain all the latest security protocols and an annual review of the cyber security protocols should be a normal part of your review with the firm.
Vendors today are subject to millions of cyber-attacks on a daily basis and they spend millions (if not billions) of dollars on IT security measures to combat hackers. You don’t need to be a security expert but you should have a basic understanding of how your vendor is patrolling the web and guarding against attacks on its system. When it comes to cybersecurity, it pays to follow the famous adage attributed to Benjamin Franklin that “an ounce of prevention is worth a pound of cure.”
 Advisory Council on Employee Welfare and Pension Benefit Plan’s November 2016 report “Cybersecurity Considerations for Benefit Plans.”