Addressing Cybersecurity in Your Retirement Plan Third-party Administrator Contract
Employers are well aware of the prevalence of cyber-attacks. Attacks on Anthem, Target, Home Depot, the Internal Revenue Service, among others, make national headlines and the costs associated with data breaches can be significant for businesses. According to the 2015 Cost of Data Breach Study: United States, conducted by Ponemon Institute LLC and sponsored by IBM, the average cost to an organization of a data breach is $6.5 million, and this study even excluded the cost of massive breaches, i.e., those involving more than 100,000 compromised records.
With the ever-increasing risk of cyber-attack, employers are focused upon the need to address cybersecurity with respect to their internal systems as well as their contracts with vendors. Cybersecurity, however, remains largely ignored in contracts with those providing services with respect to employer retirement plans. Proper due diligence demands that employers review the cybersecurity measures taken by their retirement plan service providers and the service contracts with those providers to assess and minimize exposure to liability for cyber-attacks.
Confidential Data and Access to Plan Assets. The third-party administrator ("TPA") that you retain to provide recordkeeping and other administrative services for your retirement plan (e.g., 401(k) plan, 403(b) plan, etc.) holds sensitive data regarding your employees. This data, referred to as "personal identifiable information" or "PII," may include social security numbers, addresses, dates of birth, account balance information, beneficiary information, and bank account information. In addition, your TPA may maintain systems that allow employees to initiate retirement plan transactions online. Your employees may be able to obtain plan loans and/or account withdrawals through your TPA's website. As a result, a successful cyber-attack against your retirement plan TPA could result in the theft of employees' identities or the theft of retirement plan assets. Hackers have (a) used online systems to access participant retirement plan accounts, change the account information, and direct distributions from the accounts to improper parties, and (b) accessed a TPA's participant database to steal personal data (e.g., names, addresses, social security numbers, etc.).1
Developing Law and Fiduciary Duties. The law governing cybersecurity is developing and is currently a patchwork of state and federal regulations. There is no comprehensive federal law governing cybersecurity. There are laws that govern the financial industry's use of financial information, e.g., the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and the Fair and Accurate Credit Transactions Act. These laws, however, do not apply directly to retirement plans or the PII held in conjunction with those plans. Most states have laws that address the protection of PII in some form but, like the federal laws, these laws do not apply directly to retirement plans.
The law related to the assessment of liability in the event an employee or former employee experiences a loss as a result of a cyber-attack on an employer's retirement plan(s) is also developing. Plan fiduciaries clearly have an obligation to protect retirement plan assets. Given that cyber-attacks may jeopardize the safety of those assets, employers should consider cybersecurity as it relates to the safety of plan assets when making decisions to select or retain a TPA and/or trustee for its plan(s).
It is less clear what the employer's exposure would be in the event an employee's identity would be stolen as a result of a cyber-attack on the retirement plan TPA if no theft of retirement plan assets occurs. It seems safe to assume, however, that an injured employee's counsel would want to examine the due diligence the employer undertook in selecting the TPA if, for example, the TPA's security measures fell below industry standards.
In addition, you should review the cybersecurity provisions of your contract with your retirement plan TPA. Despite the risk faced by an employer's retirement plan and employees as a result of a cyber-attack on a TPA, administrative service agreements with TPAs generally do not address cybersecurity specifically. This omission occurs for a number of reasons. If an employer has used the same TPA for a number of years, the service agreement may be old and predate the escalation in cyber-attacks. If no problems have arisen, the employer may not have thought there was a need to review the agreement. In addition, the TPA generally provides the service agreement form and does not have an incentive to address cybersecurity specifically in the agreement. Finally, some employers may view TPA agreements as form contracts and not realize these contracts often shift liabilities back to the employer and, therefore, need legal review.
If cybersecurity is not addressed or is only minimally addressed in your agreement with your TPA, we would propose an amendment to the contract. Among other provisions, the amendment could address:
[Note: If you are in the process of reviewing TPA services currently and you are sending out requests for proposal, we encourage you to require each TPA candidate responding to provide, with its proposal, a copy of any agreement it will ask you to sign. Your negotiating leverage is the greatest before you make your TPA selection. Far too often, we find that an employer who selects a new TPA first receives the service agreement from the TPA after the employer announces the selection, after the changes in TPA and plan investment funds have been communicated to employees, and on the eve of the scheduled transfer of plan assets to the new vendor(s). At this late stage, the employer's negotiating leverage has been significantly diminished.]
Finally, you should establish a procedure to review periodically your TPA's compliance with the data security and privacy provisions of your service contract and your TPA's compliance with its own data security and privacy cybersecurity procedures and policies.
1 2011 Advisory Council on Employee Welfare and Pension Benefit Plans report to the Secretary of Labor, titled "Privacy and Security Issues Affecting Employee Benefit Plans."