[Editor’s Note: The is the second of a two-part series. Click here to read Part 1.]
In Part 1, we highlighted the importance of cybersecurity measures, recent guidance from the Labor Department, and five key areas on which to focus:
- Service provider cybersecurity programs
- Third-party audit report
- Cyber insurance
- Contractual provisions
- Data sharing best practices
Also in Part 1, we examined the first two items: service provider cybersecurity programs and the third-party audit report. In this conclusion, we’ll address the other three items on the list.
Cyber Insurance
Recordkeepers and TPAs should have cyber insurance to cover data breaches. Commercial general liability policies don’t cover cybersecurity incidents and E&O policies don’t always cover them.
Ask service providers if they have cyber insurance that covers:
- Liability for loss of confidential information by allowing (or failing to prevent) unauthorized access to computer systems
- The costs associated with a privacy breach, such as participant notification, customer support, and costs of providing credit monitoring services to those affected
- The costs associated with restoring, updating, or replacing business assets stored electronically
- The costs of business interruption and extra expenses related to a security or privacy breach
- Expenses related to cyber extortion or cyber terrorism
You should also ask if the service provider has insurance covering employee malfeasance/theft, although this is usually covered in an Employment Practices Liability policy, not a cybersecurity policy.
Finally, be sure to ask if there are any sub-limits or specific endorsements that may limit coverage. For example, a $10 million policy could include a sub-limit of $250,000 for a particular type of claim.
Contractual Provisions
Plan sponsor contracts with recordkeepers and TPAs should include cybersecurity provisions. For existing agreements, this means that plan sponsors should audit them for compliance with the current DOL guidance.
Cybersecurity-related contractual provisions should include:
- Security obligations
- Data privacy and restrictions on sharing participant data
- Indemnification
- Limitation on liability
- Compliance with applicable data protection laws
- Breach notification provisions
- Insurance requirements
Data-sharing Best Practices
Many service providers (particularly recordkeepers) make non-plan services available within ERISA-covered plans, such as financial planning, wellness solutions, health-tracking wearables, student debt solutions, insurance evaluation tools, and more. Those who market these tools and services receive participant data and use it for their own purposes. These third-party offerings are often integrated into the recordkeeping service and are indistinguishable from the service itself.
The types of data these tools collect from plan participants may trigger additional laws such as HIPAA, state medical information privacy laws, and state consumer data protection laws, including the California Consumer Protection Act.
Currently, mitigating the risk of using participants’ data to cross-sell additional services is not a fiduciary obligation. It has been part of case settlements, but district courts have not yet held that plan sponsors are responsible for ensuring that service providers do not cross-sell additional services. In our opinion, this may change in the future—but it has not yet, in the opinion of a court.
Nonetheless, when it comes to data sharing, it’s prudent for plan sponsors to take on additional due diligence and ask these questions:
- Does the recordkeeper market (or plan to market) non-plan services to plan participants? If so, how?
- If third-party services are made available, what are they—and can any (or all) be excluded from the plan?
- What data does the third-party service provider receive?
- What are the recordkeeper’s minimum security requirements for third-party services?
In addition, plan sponsors may contractually require the recordkeeper to limit its use of participant data to cross-market non-plan products and services only to those participants who opt-in to receive this kind of marketing.
Next Steps
This two-part post represents just a starting point for action items addressing cybersecurity and privacy for retirement plans. Even with a five-point focus, it will take time for plan sponsors to go through all the necessary steps to be sure they’ve managed cybersecurity-related fiduciary risk appropriately. Advisors and service providers who can help plan sponsors manage this undertaking will be in a great position to win new business and retain their current clients.
Bonnie Treichel, JD is the Founder and Chief Solutions Officer of Endeavor Retirement. She has been both an ERISA attorney and financial advisor.
Bonnie Page is a privacy and technology attorney. She has held positions as General Counsel and Chief Legal Officer to several technology companies, including Smarsh, Inc., where was responsible for building the company’s privacy and security function.
