What Should Sponsors of Qualified Plans Know (and Do) About Cybersecurity?
Question: Our organization has taken great strides in recent years to improve the cybersecurity of our employment information, financial records and online transactions. However, during a recent leadership meeting, someone pointed out that we’ve paid little to no attention to our qualified retirement plan in this regard. What should we know — and do — about cybersecurity when it comes to our qualified plan?
Answer: A variety of bad things can happen to qualified retirement plans, including theft of participant assets and data breaches that expose sensitive information. When litigation occurs under the Employee Retirement Income Security Act (ERISA), judges look to whether the plan’s fiduciaries, which typically include the employer-sponsor, exercised “procedural prudence” in safeguarding plan participants’ interests.
More specifically, the law requires fiduciaries to carry out their authority “with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
Establishing and following a comprehensive cyber risk policy that targets threats to your qualified plan can help demonstrate procedural prudence, reduce legal exposure under ERISA and strengthen cybersecurity.
First Steps
Your first step in establishing (or updating) a plan-specific cyber risk policy is to assemble a team of task-appropriate representatives from key departments. This typically includes HR or benefits, IT, finance, and legal or risk management. In smaller organizations, some team members may have to wear multiple hats. Consider involving external experts as well, including legal counsel.
The team should begin by conducting a “gap analysis.” This is a systematic scouring of internal procedures and technology for weaknesses that could be exploited by hackers or disgruntled or unethical parties such as employees, vendors and contractors. Identify precisely whether and how plan data is encrypted, stored and transmitted. Look at who handles sensitive data and how they’re trained or vetted.
The team should also review how your organization trains employees to spot and prevent data breaches. Best practices include teaching staff how to detect phishing schemes and explaining why they should avoid opening email attachments from unfamiliar senders because the attached files likely contain malware or ransomware. Employees should also change their passwords regularly. Many organizations now require two-factor authentication, whereby users must submit a special one-time code, usually sent to their phones, to log in.
Essentially, the policy should address and clearly explain your organization’s approach to topics such as:
- Basic rules for everyone who handles sensitive plan information (including employees, contractors and vendors),
- Training requirements and procedures for those individuals,
- Technical standards for IT hardware and software,
- Insurance coverage, and
- A schedule for reviewing and updating the policy.
After drafting or updating the policy, have it reviewed by a qualified attorney and possibly an IT consultant before distribution. When you do distribute it, ask recipients to sign a written statement acknowledging that they’ve read the policy and will abide by it. As new people or entities come on board to help you with plan administration, give them a written copy of the policy and ask them to sign the acknowledgement statement as well.
Insurance Matters
Check to see whether your business liability insurance policy, assuming you have one, includes cybersecurity coverage. If it does, look into whether you still have the policy application on file. It likely includes questions about your organization’s cybersecurity practices that the underwriter needed answered to assess whether to write the policy and how to set premiums. Those questions and answers can be a helpful addition to your team’s gap analysis.
If you don’t have coverage, explore the cost and features of cyberliability insurance. These policies are specifically designed to cover financial damages an employer may incur because of a data breach. This generally includes investigative services, data recovery and identity recovery. Some policies also cover legal fees, customer notifications and settlement costs.
But reviewing your own insurance may not be enough. If your organization has engaged a third-party recordkeeper or administrator, determine what coverage the entity has in place.
Also inquire about the provider’s cybersecurity policies and practices. More specifically, ask third-party providers whether they can give you a Service Organization Control (SOC) 2 report. Valid SOC 2 reports provide a highly detailed overview of a service provider’s internal controls. And these reports are intended for a restricted audience, so they can go into great depths about how the entity safeguards your plan’s sensitive information.
Comprehensive Checklist
A comprehensive checklist specially designed to help maintain the cybersecurity of your qualified plan can improve the efficiency and completeness of regularly scheduled reviews and updates of your cyber risk policy. A quick Internet search should lead you to at least a few examples.
If you’re not fully confident in a checklist you develop in-house, engaging a cybersecurity consultant to review and improve it might be worth the investment. This would be an excellent demonstration of procedural prudence, too.
Leave Nothing to Chance
You’re not alone; many employers dedicate copious resources to cybersecurity when looking to protect customer and employee data, financial reports, and intellectual property. Yet, all the while, they do little to nothing to safeguard the information, systems and relationships that have to do with their qualified plans — which may contain millions of dollars in retirement funds! Be sure your organization leaves nothing to chance in this regard.
JCCS Offers Employee Benefits Services
Look to our trusted professionals to navigate the complexities of Employee Benefits at your organization. We offer a range of services including Defined Contribution Retirement Plans and Defined Benefit Retirement Plans. A well-designed employee benefit plan extends not only to the employees of the company, but to the company itself. Learn more.
