[Editor’s Note: This is the first of a two-part series.]
With millions of dollars in assets—as well as extensive and sensitive participant data—ERISA-covered plans will always be a target for cyber criminals—and it’s more important than ever for plan sponsors to take whatever actions they can to contain cyber risks.
Even before Russia’s attack on Ukraine heightened the risk of cyberattacks, there were strong reasons to support shoring up plan cybersecurity. In April 2021, the Department of Labor (DOL) issued guidance to help the retirement industry fight cybercrime. In addition to providing best practices, this guidance established what had long been assumed: mitigating the risks of cybersecurity breaches is a fiduciary obligation on par with investment selection and plan administration.
Recently, we’ve also seen several cases that involve disclosures of participant data or data breaches that expose participant data, which further emphasize the need for both plan sponsors and their service providers—such as third-party administrators (TPAs) and recordkeepers—to ensure that they are meeting privacy and security obligations.
And, just in case you still need convincing that cybersecurity issues aren’t going away, in February the Securities and Exchange Commission (SEC) proposed a package of new rules to enhance preparedness and improve the cyber resilience of investment advisors and investment companies.
Clearly, now’s the time for “Cybersecurity 2.0” for retirement plans.
Practical Guidance for Plan Sponsors: Five Areas to Focus On
For plan sponsors and their advisors, consultants, and service providers, the urgency—and enormity!—of Cybersecurity 2.0 is probably daunting. To get you started, we’ve broken down the best practices to limit cybersecurity risk into five focus areas, taking into account the DOL guidance (and the SEC proposal, where applicable), the litigation landscape, and privacy laws:
- Service provider cybersecurity programs
- Third-party audit report
- Cyber insurance
- Contractual provisions
- Data sharing best practices
Let’s look at these areas of focus in more detail and what you need to know.
Service Provider Cybersecurity Programs
The DOL’s Cybersecurity Program Best Practices provides a comprehensive checklist of what to look for in a service provider’s cybersecurity program.
The guidelines cover areas such as access controls, end-point protection, log monitoring, network security, device security and more. Start by reviewing the DOL guidelines—and advisors, you can help your plan sponsor clients understand what they are looking for, and what questions they should ask, of service providers they work with.
Third-Party Audit Report
The DOL states that a plan fiduciary can have “much more confidence” in a service provider’s systems and cybersecurity practices if they are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality. Most U.S.-based service providers use SOC 2 audit criteria, although companies can use a NIST or ISO 27001 framework.
Here are the important things to look for in a third-party audit report:
- Scope—Make sure the third-party audit covers all the systems, processes and services that the plan will purchase from a third party. The audit report should also indicate if there are third-party sub processors that support the audited system.
- Audit specifics—Depending upon the audit framework, the audit will assess a variety of security controls. In a SOC 2 audit, it is important to know which control groups have been audited, and make sure that it includes security, confidentiality, availability, and data integrity. For an ISO 27001 audit, you’ll receive only a certification that the audit has been completed according to ISO standards, which are sufficient for compliance purposes.
- Exceptions—Look for any exceptions indicated in the audit report—and follow up with questions to the service provider to get more details. Some examples of red-flag exception language include “the controls were not suitably designed,” “disclaim an opinion,” “omission,” “misrepresentation” or “inadequate.”
To read Part 2 of this series—addressing cyber insurance, contractual provisions data sharing—click here.
Bonnie Treichel, JD, is the Founder and Chief Solutions Officer of Endeavor Retirement. She has been both an ERISA attorney and financial advisor.
Bonnie Page is a privacy and technology attorney. She has held positions as General Counsel and Chief Legal Officer to several technology companies, including Smarsh, Inc., where was responsible for building the company’s privacy and security function.
