Several recent incidents involving the improper access of retirement data by third party call center representatives underscore the important role plan sponsors must play in mitigating cybersecurity threats. Unfortunately, the majority of cyber breaches occur at small and mid-sized businesses, and, lacking protocols and protections, many find themselves in a downward spiral following a breach.
It Only Takes One Bad Player…
“What’s at stake is participants’ largest nest eggs—their life savings—being put at risk due to insufficient management of cyber security.” That’s a sobering reminder from CAPTRUST Chief Technology Officer, Jon Meyer. As if the life savings of employees is not enough to have ultimate responsibility for, when it comes to protecting retirement accounts, plan sponsors need to know there’s even more at stake:
The plan sponsor’s reputation and financial health. Cybercriminals today are targeting large and small businesses almost indiscriminately, and to great effect. Research by the National Cyber Security Alliance found that more than 70 percent of cyberattacks target small or medium-sized businesses, and 60 percent of those attacked went out of business within six months…. “It’s not just about securing the plan itself,” says Nick Brezinski, CAPTRUST director of information security and network. “It’s about securing the entire ecosystem, including recordkeepers, third-party administrators, participants, and anyone else with access to plan data.” That can seem daunting for plan sponsors that don’t know how to get started. But there are key practices that can help to light the way.
The Cybersecurity Guidance from the Department of Labor provides plan sponsors with an important framework about their responsibilities for mitigating cybersecurity risks. As prudent fiduciaries, plan sponsors must put a “full and effective information security program” in place. Although this typically involves securing external service providers, plan sponsors retain responsibilities and liabilities, as CAPTRUST leadership explains:
“Hiring external experts or service providers does not transfer the risk to that third party. The sponsor still owns the responsibility for securing their data and running the plan’s broader cyber security program. External experts can supplement where internal resources are lacking, but accountability remains with the plan sponsor.” Fiduciary responsibility itself cannot be outsourced, which means that sponsors have a duty to monitor their vendors … .Since many plan sponsors rely on third-party service providers, it’s crucial to vet vendors rigorously, and confirm that they are complying with stringent security standards…..“It’s not enough to have a handshake agreement,” says Jon Atchison, CAPTRUST senior team lead….“Where possible, make an effort to lock down your vendors with data privacy and security agreements.” These agreements legally bind vendors to maintain certain standards, which are essential for ensuring that vendor security practices align with the plan sponsor’s risk management strategies.
Scary To Know
It only took one questionable employee at a third party administrator to put the retirement accounts of over 2,000 retirement plan participants at risk recently, by improperly accessing data, which included, “participants’ names, Social Security numbers, dates of birth, mailing addresses, previous employers, previous retirement plan sponsors, and …account numbers, types and balances.” External breaches, including hacks, are of course a threat too, as yet another recent breach at a different third party administrative company exemplifies: “more than 71,000 people had their personal information exposed.”
Plan sponsors should keep in mind that even a relatively small cybersecurity incident can rapidly escalate into fiduciary breach allegations. National risk management expert, Richard Clarke, cautions: “Given that any person involved in the management of an employee retirement or benefits plan can be held personally liable for a fiduciary breach under ERISA law, they must roll up their sleeves to work at the intersections of plan management and technology.” While digging into cybersecurity best practices, plan sponsors also need to protect themselves. Why shoulder all the risks alone?
At Colonial Surety Company, Fiduciary+Cyber Liability Insurance is affordable and efficient: a whole year of coverage is just a few dollars a day, and protects the company, the plan and you–the plan sponsor.Our package defends against lawsuits, covers potential penalties and provides expert crisis management response services following a cybersecurity breach. Quote, obtain and download your policy, in minutes, now:
Fiduciary+Cyber Liability Insurance HERE
Serving customers since 1930, Colonial Surety is the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time. Colonial Surety Company is rated “A Excellent” by A.M. Best Company, US Treasury listed and in business all across the country.