Many retirement plan sponsors remain unaware that as ERISA fiduciaries, they are obligated to mitigate cybersecurity risks to the retirement plan. It is dangerous to ignore the intersection of fiduciary and cyber responsibilities, so read on for reminders and protection strategies that make sense for plan sponsors from even small businesses.
Obligated To Mitigate: Cyber Threats
Unfortunately, asset rich and cybersecurity poor describes many retirement plans—and that makes them excellent targets for cyber crimes of all kinds. Not only is the cash in retirement accounts valuable, so too is the associated personal data. With so much temptation involved, threats and crimes against retirement plans will only increase. While it is impossible to eliminate the cybersecurity threats to retirement plans, sponsors need to know that as ERISA fiduciaries, they are obligated to mitigate cybersecurity threats, and, as attorneys at Buchanan Ingersoll & Rooney explain, failure to mitigate cyber threats can result in fiduciary breach allegations which put the personal assets of sponsors at risk:
Fiduciaries hold significant control over the safety and integrity of a plan’s assets; compliance with ERISA fiduciary duties requires shielding plan assets from cyber threats. Recommended plan management should mean taking action to protect personal financial data maintained at the plan level from cyber criminals. If plan fiduciaries fail to comply with strict ERISA duties regarding a plan’s assets, they can be found personally liable for breaches of their fiduciary obligations.
To avoid breaching their duties of prudence and loyalty related to cybersecurity, plan sponsors should lean deeply into the Department of Labor’s Cybersecurity Guidance, which was originally issued in 2021 with this message: “As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. Without sufficient protections, these participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.” Plan sponsors can follow these links to access the specific action steps the Department of Labor has urged with its Cybersecurity Guidance:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
At Morgan Lewis, attorneys have confirmed that they are observing “active enforcement” of the DOL’s cybersecurity guidance. When evaluating their practices for compliance, plan sponsors will find it helpful to note that DOL inquiries have taken special interest in:
- documents governing the IT systems, a breach response plan, a disaster recovery plan, and copies of system development lifecycle controls (SDLC), if applicable;
- schedules of systems critical to the maintenance and protection of participant data and assets (including information on data used by the plan, where data resides, systems outsourced to service providers, and file sharing systems);
- external and internal cybersecurity audit reports, including audits of IT systems (SOC 1 or SOC 2), as well as internal and external (with auditors) communications;
- existence of cybersecurity insurance coverage;
- documents mentioning or discussing cybersecurity, including emails and minutes of plan committee or board of trustees/directors meetings where the plan’s cybersecurity readiness was discussed; and
- documents regarding cybersecurity events about unauthorized access or suspicious activity.
Because plan sponsors from small businesses tend to face the biggest hurdles implementing cybersecurity recommendations, Colonial Surety Company offers an efficient, affordable and clear solution. Specifically, for a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with a Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Colonial’s Cyber Liability+Fiduciary Liability Insurance addresses numerous DOL recommendations by explicitly covering the plan and the business, and including:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Plan sponsors can obtain this comprehensive coverage online in minutes today, or even speak to one of our knowledgeable ERISA experts for further support.
Mitigate threats to the retirement plan–and reduce your personal liabilities before another day goes by:
Cyber Liability Insurance+Fiduciary Liability Insurance
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.