Retirement plan sponsors are responsible for vetting the cybersecurity practices of their third party providers. But what about the providers those providers outsource too? Yes, indeed: plan sponsors need to know about subcontractors and the standards and protocols in place to address cybersecurity.
Know Who Has Access To Data
At Plan Sponsor, Remy Samuels reminds us that oversight does not stop with the selection of a third party provider–it extends to understanding who else has access to participant data:
Retirement plan recordkeepers’ increasing reliance on third-party vendors for various administrative services and tools poses a challenge for plan sponsors who need to vet these vendors, especially as many have been exposed to cybersecurity breaches in the past year.To protect participant data and personal information, plan sponsors should be aware of the subcontractors with which their recordkeepers work, of which have access to participant data, and of how to respond to a breach when one occurs.
Updated guidance from The Department of Labor underscores that all plans covered by the Employee Retirement Income Security Act must implement best practices to mitigate cyber threats to plan participants. Jon Meyer, the chief technology officer at CAPTRUST, advises plan sponsors to fully adhere to the DOL guidance:
The updated guidance included tips for plan sponsors and fiduciaries when hiring a service provider. For example, the DOL recommended that plan sponsors compare their service provider’s information security standards, practices and policies, and audit results to industry standards adopted by other financial or health institutions….“Ideally, if you’re vetting your recordkeeper, which is probably a large company, they are going to be able to tell you how they are vetting all of their suppliers,” Meyer says. “In turn, you’re going to be able to get a little more confident that they have made efforts to make sure that they are not entrusting key data to suppliers who are not worthy of dealing with that data.”
The best practices in the DOL’s cybersecurity update are similar to that of the 2021 release, but it is still important for plan sponsors to review the update against their plan protocols. In particular, New Jersey attorney Joseph Lazzarotti recommends that plan sponsors carefully vet the cybersecurity protocols of service providers, noting: “It is tempting to focus on a plan’s most prominent service providers – the insurance carrier, claims administrator, etc. However, the DOL’s guidance extends to all service providers, such as brokers, consultants, auditors, actuaries, wellness providers, concierge services, cloud storage companies, etc. Fiduciaries will need to identify what individuals and/or entities are providing services to the plan…”.
Reality Bites
Retirement industry experts acknowledge that cyber threats are often “hidden in the bowels” of how data moves between users, “because everybody’s running some piece of software that they didn’t write, that they’re relying on somebody else to have fully vetted and tested.” Regardless, as ERISA fiduciaries, retirement plan sponsors are expected to use due diligence to vet providers, and that includes understanding how services are delegated and outsourced, which as these examples illustrate, involves contracting wisely and asking the right questions:
Kristine Sciangula, a retirement plan administrator…says her plan’s contract with its recordkeeper, T. Rowe Price, explicitly states that T. Rowe Price cannot delegate the “material duties” under the agreement to any other entity without the plan’s consent.
Meyer recommends two different approaches when vetting providers. One is requesting a SOC 2 Type II report: a third-party audit that assesses a company’s internal controls and systems related to security, processing integrity, confidentiality and privacy of customer data over a period of time. The reports are based on the American Institute of Certified Public Accountants’ trust service criteria and apply to any business handling sensitive customer information.An alternative to the SOC 2 Type II report is to conduct a shares assessment, which uses a 1,000-item questionnaire about the supplier’s processes. Meyer says working with a specialist or an ERISA attorney is helpful when conducting vendor reviews.
Toward monitoring the cybersecurity practices of providers, it’s of course key for plan sponsors to utilize the three-pronged DOL guidance:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks.
- Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.
Remember too, Colonial Surety Company, a leading national writer of ERISA Fidelity Bonds, offers an efficient and affordable solution to help retirement plan sponsors mitigate their risks. Specifically, for a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with a Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Colonial’s Cyber Liability+Fiduciary Liability Insurance includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Plan sponsors can obtain this comprehensive coverage online in minutes today, or even speak to one of Colonial Surety’s knowledgeable ERISA experts for further support. Visit us now, and end your day with coverages–including your cybersecurity response plan–in hand:
Fiduciary and Cyber Liability Insurance HERE
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.