Protecting Retirement Plans From Cyberattacks
December 14, 2021
Do you have a robust cybersecurity policy to keep your retirement plan safe from cybercriminals?
The 2021 Cyber Security Risk Report by Aon finds that, “organizations often have a false sense of confidence regarding data security, particularly when it comes to risks potentially posed by third-party service providers.” The ever-growing magnitude of the threat and associated liability for plan fiduciaries requires a systematic approach to managing this exposure.
A variety of bad things can happen to qualified plans — including theft of participant assets. When ERISA litigation results, judges look to whether plan fiduciaries exercised “procedural prudence” in safeguarding their participants’ interests.
Procedural prudence governs all 401(k) plans and requires plan fiduciaries to exercise their authority “with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
Establishing and following a comprehensive cybersecurity policy can help demonstrate procedural prudence. This, in turn, can reduce the chances of your plan becoming victim to a cybercrime.
Your first step in establishing or updating your cybersecurity policy is to assemble a team to take on the task with representatives from key departments: HR (or benefits), IT, finance and risk management. Consider gathering input from external experts, including legal counsel and IT consultants.
The team should begin by reviewing internal procedures and technology safeguards for gaps. This means reviewing the cybersecurity procedures of your plan’s vendors as well. Review who has access to sensitive plan data and how the data is encrypted, stored and transmitted. Determine who handles sensitive data and how they are trained.
Next, review how you train your employees to detect and avoid phishing scams that can open the door to cybercriminals. Even if you have a cybersecurity policy that you previously drafted, now may be a good time to review and update the policy for any changes that may have resulted in internal controls or procedures, such as those as a result of COVID-19 and a remote workforce.
Also, review your business liability insurance to make sure it includes cybersecurity protection. Such policies include an application that outlines various best practices and controls that you can use to help guide your search for security gaps. Make sure to review the cybersecurity insurance policies for your plan’s external recordkeeper and administrator as well. In addition, be sure to ask your plan’s vendors and recordkeeper if they have a service organization control report, known as a SOC 2 report, which addresses cybersecurity controls. Review the most current SOC 2 report to make sure that your plan’s vendors do not have any reported concerns that may affect your plan.
If you do not have a comprehensive cybersecurity checklist, a quick Internet search may lead you to many examples. However, we highly recommend hiring an experienced cybersecurity consultant who understands employee benefit plans to fully review your plan’s potential exposures. This would be an excellent demonstration of “procedural prudence.”
The foundation of a cybersecurity risk management policy includes best practices you identify as the steps to minimize your plan’s potential risk. A cybersecurity risk management policy may include topics such as:
- Basic procedures required of employees whose roles put them in a position to prevent a server breach;
- Technical standards for cybersecurity systems;
- Training requirements and procedures;
- Insurance coverage; and
- A schedule for reviewing and updating the policy in the future.
After drafting your cybersecurity policy, we recommend having it reviewed by legal and IT experts. Make sure to communicate the policy to all employees. As a best practice, we recommend you require all employees to sign-off or attest that they have read and understood their roles and responsibilities to help ensure cybersecurity.
Stay Ahead of Problems
Be sure to ask your plan vendors and recordkeepers if they have a service organization control report, known as a SOC 2 report, which addresses cybersecurity controls. It’s not enough to assume that your plan vendors have everything under control. If they don’t, you could be on the hook, as well as them. And if the cybersecurity problem lies with your own systems, your liability is even more clear.