The ERISA consultants at the Learning Center Resource Desk, which is available through Columbia Threadneedle Investments, regularly receive calls from financial advisors on a broad array of technical topics related to IRAs and qualified retirement plans. A recent call with an advisor in New Jersey is representative of a common inquiry involving data security. The advisor asked:
“With so many examples of data hacking in the news, I’m curious: What cybersecurity standards apply to qualified retirement plans?”
Highlights of Discussion
Great question! There is an understanding under Department of Labor (DOL) Regulation Section 2520.104b-1(c) and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential. However, presently, there is no comprehensive federal regulatory regime covering cybersecurity for retirement plans.
Each state has different laws governing cybersecurity concerns that may come into play. Unfortunately, many retirement plans cover multiple states or retirees who have moved out of state.
At the end of 2016, the ERISA Advisory Council issued Cybersecurity Considerations for Benefit Plans, a report that sets forth considerations for the industry for navigating cybersecurity risks. The considerations relate to the following three key areas. Please refer to the report for more details.
1. Establish a Strategy
- Identify the data (e.g., how it is accessed, shared, stored, controlled, transmitted, secured and maintained).
- Consider following existing security frameworks available through organizations such as the National Institute of Standards and Technology (NIST), the Health Information Trust Alliance (HITRUST), the SAFETY Act, and industry-based initiatives.
- Establish process considerations (e.g., protocols and policies covering testing, updating, reporting, training, data retention, third party risks, etc.).
- Customize a strategy taking into account resources, integration, cost, cyber insurance, etc.
- Strike the right balance based on size, complexity and overall risk exposure.
- Consider applicable state and federal laws.
2. Contracts with Service Providers
- Define security obligations.
- Identify reporting and monitoring responsibilities.
- Conduct periodic risk assessments.
- Establish due diligence standards for vetting and tiering providers based on the sensitivity of data being shared.
- Consider whether the service provider has a cyber security program, how data is encrypted, liability for breaches, etc.
3. Insurance
- Consider the need for first party coverage. Understand overall insurance programs covering plans and service providers.
- Evaluate whether cyber insurance has a role in a cyber risk management strategy.
- The ERISA Advisory Council has suggested that the DOL raise awareness about cybersecurity risks and provide information for developing a cybersecurity strategy specifically focused on benefit plans.
The ERISA Advisory Council report concludes with an appendix entitled, “Employee Benefit Plans: Considerations for Managing Cybersecurity Risks (A Resource for Plan Sponsors and Service Providers).”
Conclusion
At this time, no comprehensive cybersecurity protocol for retirement plan administration exists at the federal level. The ERISA Advisory Council has provided suggested materials for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program.
The Learning Center Resource Desk is staffed by the Retirement Learning Center, LLC (RLC), a third-party industry consultant that is not affiliated with Columbia Threadneedle. Any information provided is for informational purposes only. It cannot be used for the purposes of avoiding penalties and taxes. Columbia Threadneedle does not provide tax or legal advice. Consumers consult with their tax advisor or attorney regarding their specific situation.
Information and opinions provided by third parties have been obtained from sources believed to be reliable, but accuracy and completeness cannot be guaranteed by Columbia Threadneedle.
Columbia Threadneedle Investments (Columbia Threadneedle) is the global brand name of the Columbia and Threadneedle group of companies.
©2017, Columbia Management Investment Advisers, LLC. Used with permission.
