The recent Equifax and Yahoo security breaches impacted an astounding number of people, serving as a fire alarm to individuals and businesses regarding cybersecurity. Due to the fact 401(k) plans are the primary savings vehicle for Americans, immediate attention should be directed towards the protection of 401(k) plan assets from cyber risk. This article focuses on considerations and measures 401(k) plan sponsors and fiduciaries can take to protect plan participants and, in so doing, fulfill their fiduciary obligations with respect to guarding against cyberattacks on their 401(k) programs. This article is written in the context of 401(k) plans. However, this discussion is applicable to most benefit plans.
A Fiduciary Matter
Plan fiduciaries, including plan sponsors and fiduciary committees, have the broad duty under the Employee Retirement Income Security Act (“ERISA”) to act solely in the interest of plan participants and beneficiaries “with care, skill, prudence and diligence…” This standard requires plan fiduciaries to take all actions to serve plan participants and beneficiaries and monitor service providers. Recently, there has been much substantial guidance and discussion regarding the monitoring of plan fees and expenses. Although the Department of Labor (the “DOL”) has not officially issued guidance on the actions fiduciaries should take in the present climate, the recent news of massive cybersecurity breaches should lead fiduciaries to focus on cybersecurity with the same zeal applied to monitoring plan fees and expenses. By addressing cybersecurity risks, fiduciaries limit their exposure and, more importantly, they will protect the plan participants and beneficiaries whom they serve.
In recent years, firms and vendors that work with retirement plans have offered and encouraged plan sponsors and their fiduciary committees to attend fiduciary training. Fiduciary education should include a section on cybersecurity and measures that should be taken to reduce cyber threats to 401(k) plans.
Advisory Council Guidance
In 2016, the ERISA Advisory Council (the “Council”) held hearings and investigated the cybersecurity threat. The Council articulated actions that should be taken to protect against the cybersecurity threat and, in early 2017, issued a report entitled “Cybersecurity Considerations for Benefit Plans” (the “Report”). The published study serves as recommendations to the DOL. The DOL has not issued guidance directly addressing cybersecurity. Until the DOL issues guidance, the Report provides meaningful guidance to plan sponsors and fiduciaries.
Among the recommendations offered by the Report is the establishment and operation of a security risk management strategy. The nature of the strategy depends largely on the business and the employee benefit plans involved. Universal elements of the strategy include establishing who is responsible for the design and implementation of the strategy, ongoing monitoring to guard against hackers and monitoring activity that includes testing, training those with access to plan data, hiring practices (including background checks), limiting user access to certain payroll or HR personnel and the establishment and execution of data retention and encryption policies and practices.
A very critical element of the cybersecurity risk management strategy is the selection and monitoring of third party service providers. Third party service providers, such as 401(k) plan record-keepers, will have access to sensitive participant data. This information includes names and the associated addresses, social security numbers, beneficiary information and bank information of plan participants. Moreover, 401(k) plans, with liquid assets, may be readily accessed by cyber criminals. Due to the fact plan sponsors do not control their hiring process and internal controls, extra care must be taken in the selection and monitoring of such providers.
The Report offers a list of questions plan sponsors should pose to their benefit plan providers which include:
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will the plan(s) data be maintained and protected?
- Will the data be encrypted at rest, in transit and on devices, and is the encryption automated (rather than manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate to permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring and what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (such as Service Organization Control or SOC reports or a similar report or certification)?
- What is the level and type of insurance coverage that is available?
- What is the level of financial and fraud coverage that protects participants from financial damage?
- If the service provider subcontracts to others, will the service provider insist on protections (as noted above) in its agreement with the subcontractor?
- What controls does the service provider have in place over physical assets that store sensitive data, including when such assets are retired or replaced (servers, hard drives, mobile devices, etc.)?
- What are the service provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)?
Service Provider Agreements
Several of the questions that plan sponsors should pose to their service providers can be addressed in the service agreement between the plan sponsor and the service provider. Service agreements should include a section specifically addressing cybersecurity specifically. The provisions, at a minimum, should require the third party provider to maintain adequate controls to protect sensitive data, including data breach notice requirements to the affected participant and the plan sponsor, and provide for external audits or reviews. Since several state laws require notice to affected individuals in the event of a breach, the service agreement should clearly define who (plan sponsor or service provider) has the duty to act in accordance with state law in the event of a breach.
In addition, service agreements should include provisions for the acceptance of liability on the part of the service provider after a data security breach and an indemnification provision in the event of a third party claim from a plan participant or other party. The agreement should further require the service provider to maintain cyber insurance at a level commensurate to the size and demographics of the plan.
At this time, plan sponsors should review existing service agreements. If the agreement lacks or has an insufficient cybersecurity provision, a revised agreement or agreement rider should be put in place.
In addition to the above steps fiduciaries can take to protect against cyber-attacks, cybersecurity should be incorporated into participant education. Just as a purse or wallet should not be left visible in a locked car, participants should take preemptive measures to protect their benefits. Participants can limit and even eliminate cyber risk before it occurs if they are aware of the threat and advised as follows:
- Regularly check their accounts for unauthorized activity.
- Protect their passwords and login information. If passwords need to be written and/or stored, they need to be in a locked file or otherwise secured. Participants should change their passwords regularly.
- Stolen laptops are a source of data breaches. Laptops should be protected with encryption.
- Participants should be instructed to read plan issued materials and not discount correspondence as “junk mail.”
Participant plan education should include materials addressing cybersecurity and, for live presentations, a discussion of best practices for cybersecurity.
Surrounded by the real and present threat of a cyber-breach, plan sponsors and fiduciary committees need to acknowledge the threat to employee benefits plans for which they are responsible. In keeping with the recommendations of the ERISA Advisory Council, plan fiduciaries should discuss, design and implement a “risk management strategy.” The strategy must be tailored to the business, the company’s benefit plans and the participant demographic. The critical elements of the strategy should include:
- Vendor Monitoring. Ask the critical questions outlined above of third-party service providers at the request for proposal stage as well as on an ongoing basis.
- Insurance. Verify not only cyber insurance coverage by third party service providers, but review the plan sponsor’s own fiduciary liability umbrella policy, and cybersecurity insurance coverage.
- Service Agreements. Negotiate, review and, to the extent necessary, update vendor contracts.
- Education. Educate participants on the importance of self-protection and vigilance.
By following these steps, plan sponsors and fiduciaries can fulfill their fiduciary obligations and, in so doing, protect the hard earned benefits of plan participants and their beneficiaries.