Yes, every business needs cybersecurity procedures–and establishing them is doubly critical for retirement plan sponsors. Fiduciary advisors stress that establishing a written cybersecurity policy with specific, actionable procedures, is not only best practice, but also a way to address Department of Labor standards. Read on for tips on what to include in cybersecurity procedures.
The AI Era Requires More Cybersecurity Vigilance
As fiduciaries in the AI age, retirement plan sponsors need to be ever more vigilant in their efforts to protect the retirement plan–and themselves. At Plan Adviser, Remy Samuels underscores that a proactive approach to cybersecurity is essential: “As participant data and plan assets increasingly are the target of cybersecurity and ransomware attacks, it is important that plan fiduciaries have pre-established procedures in place to protect themselves in the instance that a breach occurs.” At Cohen & Buckmann, attorney Carol Buckmann reminds us of the consequences of failing to take cybersecurity seriously:
The bottom line is that fiduciaries may be personally liable for losses caused by their breaches of their fiduciary responsibility to mitigate cybersecurity risks. Although it isn’t specifically required by law, a written cybersecurity policy should be given the same importance as the plan’s investment policy statement, missing participant procedures and QDRO and loan procedures. And given the frequency with which new kinds of threats and attacks occur, the cybersecurity policy will need to be reviewed and updated on a regular basis.
Buckman counsels that effective breach response plans, and solid cybersecurity insurance–which explicitly covers the plan as well as the business—-are critical components of preparedness against cyber threats and breaches:
Response to Breaches.
Prompt notice of breaches is essential not just to comply with any applicable legal requirements, but to provide protection to participants whose data has been compromised.
Insurance Coverage
Do you and your service providers maintain adequate cybersecurity insurance coverage? Since claims can be raised under state law, standard ERISA fiduciary liability insurance may not cover them. Other types of coverage, such as directors’ and officers’ coverage, may have exclusions. ERISA bonding coverage does not cover thefts of assets by criminal hackers. If necessary, have an expert review your current coverage and needs.
When evaluating cybersecurity insurance options, business owners who sponsor retirement plans should clarify that the coverage extends to both the business and the retirement plan. To make cybersecurity insurance easy for every business and retirement plan, Colonial Surety Company offers an affordable policy that explicitly covers the business and the plan, and comes complete with a response plan. We even include cyber liability insurance at no extra cost with fiduciary liability insurance, for the protection of you–the retirement plan sponsor.
Affordable Protection Here: Cyber and Fiduciary Liability Coverage Here
Recommendations for Cybersecurity Procedures
In addition to obtaining cybersecurity insurance which specifically covers the retirement plan, Buckmann includes these recommendations in her advice for retirement plan sponsors and their service providers:
- Insist on multi-factor authentication. This is becoming common because it significantly lowers the risk of hacking. Cybercriminals may be able to guess passwords and user names, but they have difficulty providing further substantiation, such as a one-time code sent by text to a participant’s cell phone.
- Service Provider Audits and Tests. Any service providers with access to data and/or who have authority to direct investments should have regular third party audits of their systems and perform regular penetration tests.
- Subcontractors. Many service providers use subcontractors to perform some of the services they undertake. It is essential that these subcontractors be subject to the same standards that would apply if the service provider were performing the services itself.
- Contract Termination. What happens to plan data if a service contract is terminated? Service providers should not retain data longer than required by law. It should be destroyed or returned to the plan.
Cybersecurity Insurance?
As the DOL has explained: “Many employers assume that since the company has cyber liability insurance, they’d be covered in a breach. The fine print in the policy notes that it applies only to the company and not the company in its capacity as a plan sponsor—something not obvious to most.” Avoid this confusion with cybersecurity insurance from Colonial Surety Company, which explicitly covers the company and the retirement plan.
Even better? At Colonial Surety, for a few dollars a day, retirement plan sponsors can obtain fiduciary liability insurance to protect themselves, and we automatically include $50k of Cyber coverage at no extra cost. With our Cyber Liability+Fiduciary Liability Insurance package, you’ll have defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, as well as expert-led response services following a data breach, notification services, and more.
Affordable help is just a few clicks away. End your day with coverages–including your cybersecurity response plan–in hand:
Cyber Liability + Fiduciary Liability Insurance
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.