The Time to Develop a Benefit Plan Cybersecurity Policy Is Now!
There is widespread concern for the security of the employee data that is collected, transmitted, and stored with regard to employee benefit plans and for the security of the assets in participant accounts. Further, the array of technological tools that have emerged to aid in the administration and delivery of employee benefits continues to grow and fuels further concern.
Retirement industry groups such as the Spark Institute and the Financial Services Information Sharing and Analysis Center recently joined forces to establish the Retirement Industry Council to share information about new data security threats and strategies for improving security in the retirement market. Plan sponsors and fiduciaries must be cognizant of these developments and do their part to ensure that they have controls in place to prevent security breaches of plan participant data and assets, and that they have addressed these considerations with service providers. Although there is no clear fiduciary mandate under the Employee Retirement Income Security Act of 1974 (“ERISA”) with regard to cybersecurity, plan fiduciaries do have a duty to carry out their responsibilities prudently and in the best interests of plan participants and beneficiaries. Employers that take the time to develop a benefit plan cybersecurity policy (“Policy”) will be well positioned to demonstrate prudence and diligence in these efforts, and prepared in the event of a data breach.
At a minimum, consider taking the following actions, which are by no means exhaustive:
Assemble a qualified team. The team may include individuals from HR, IT, legal, compliance, risk management, and any organizational cybersecurity leaders. Make sure that the team defines its protocols around data collection, processing and storage, encryption, outsourcing, areas of risk, and breach notification and response, and ensure that its protocols are properly executed and updated in compliance with applicable laws. Designated plan fiduciaries should also provide input and adopt the Policy as part of its fiduciary best practices. If your organization does not have adequate in-house resources to develop a Policy, obtain qualified outside assistance.
Identify the data. Define the types of data that are at issue, and set parameters regarding their maintenance and security. Employee benefit plans store extensive personally identifiable information (“PII”) for participants and beneficiaries, such as Social Security numbers, addresses, dates of birth, and financial information. Such information may be accessed by various personnel and service providers, which makes it vulnerable to data breaches. Further, depending on the type of benefit plan program, privacy and security may require vetting through different channels. For example, the use or disclosure of protected health information (“PHI”) will need to comply with Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy and security policies (and electronic transmission of health information will need to comply with the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009). This can become further complicated when participants use health-tracking wearable tools, which interact with health plans—the plan may need a business associate agreement with cloud or storage providers receiving PHI. With a retirement investment advice tool, plan fiduciaries should undertake due diligence of its privacy and security measures to protect PII.
Train employees. Ensure that all personnel who have access to employee data are properly trained in safeguarding it, including securing the transmission of any data to third-party service providers. Designate individuals to respond to any benefits-related data breach and follow procedures for reporting breaches through the appropriate channels of the organization. Properly vet internal personnel handling this data, and take measures to protect against security breaches from within the company.
Develop additional standards for selecting and monitoring service providers. Establish cybersecurity guidelines for engaging, monitoring, and renewing service providers, such as confirmation of their cybersecurity program and certifications, details regarding how they encrypt and protect data, their breach notification procedures, and a review of Service Organization Control reports regarding their privacy and security controls, levels of insurance, and scope of their assumption of liabilities. Understand whether the service provider utilizes agents or subcontractors to perform the services and the chain of security measures. Establish rules for any IT security review of service provider systems, including requests for penetration tests to detect security risks. Address data privacy and security, breach notification procedures, liability, and indemnification provisions in service agreements in accordance with the standards of the organization’s Policy.
Address data interactions. Understand how data is accessed by participants and third parties, such as through online access or requests for retirement account distributions or transfers. If not already doing so, request that the service provider utilize enhanced measures such as two- or even three-step authentication for participants to access to the information. Consider having the service providers generate and issue more complex usernames and passwords, as participants frequently use the same passwords and usernames across different websites. Consider setting up alerts for unusual behavior. Also, educate employees on the steps they can take to protect their benefit plan information.
Review security of mobile apps. Many new mobile apps allow plan participants to check account balances, contributions, and investment changes; request loans or distributions; and receive alerts and educational information. Apps also track financial and physical wellness, and collect and convey such information to benefit plans. Despite their convenience, however, the use of mobile apps provides yet another opportunity for data breaches or the actual theft of assets and benefit payments. Make sure that the Policy sets forth the protocols that should be followed when introducing apps into any benefits program.
Cybersecurity insurance. In addition to errors and omissions and fiduciary liability insurance policies, cybersecurity insurance has emerged in recent years and can offer various types of coverage, including coverage for certain disaster recovery and response assistance that can be triggered by a benefit plan upon a breach. Assess existing coverages to ascertain how cybersecurity insurance can fit with your employee benefits needs.
It is time to develop a prudent benefit plan cybersecurity policy that will enable employers and plan fiduciaries to face challenges head-on and reduce potential liabilities.