The Department of Labor has issued updated cybersecurity guidance, and confirmed that the protocols are applicable to all plans covered by the Employee Retirement Income Security Act (ERISA). Attorneys are advising fiduciaries to implement safeguards.
Best Practices In Cybersecurity
As the U.S. Department of Labor (DOL) issued a new Compliance Assistance Release which updates the guidance on cybersecurity released in 2021, Assistant Secretary for Employee Benefits Security, Lisa M. Gomez, underscores: “All ERISA covered-plans need to implement appropriate best practices to help protect participants and their beneficiaries from cybercrime and emerging threats. These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information.”
Following the same approach as the original cybersecurity guidance, the update “provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants” spelled out in these three sections:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks.
- Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.
Though the best practices in the cybersecurity update are similar to that of the 2021 release, it’s wise for plan sponsors to review the update and check their plan protocols for areas of improvement. As New Jersey attorney, Joseph Lazzarotti reminds us: “cybersecurity should be a significant compliance concern for just about any benefit offered to employees, whether covered by ERISA or not.” In particular, Lazzarotti recommends plan sponsors take a thorough approach to vetting the cybersecurity protocols of service providers, noting:
It is tempting to focus on a plan’s most prominent service providers – the insurance carrier, claims administrator, etc. However, the DOL’s guidance extends to all service providers, such as brokers, consultants, auditors, actuaries, wellness providers, concierge services, cloud storage companies, etc. Fiduciaries will need to identify what individuals and/or entities are providing services to the plan….
The EBSA’s Compliance Assistance Release No. 2024-01 significantly expands the scope of compliance for ERISA fiduciaries with respect to their employee benefit plans and cybersecurity, and by extension the service providers to those plans. Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.
Response Planning and Protection?
Among the best practices the DOL wants plan sponsors to implement is a resiliency program that includes a thorough plan for responding to cyber incidents. Colonial Surety Company, a leading national writer of ERISA Fidelity Bonds, offers an efficient and affordable solution for retirement plan sponsors. Specifically, for a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with a Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Colonial’s Cyber Liability+Fiduciary Liability Insurance includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Plan sponsors can obtain this comprehensive coverage online in minutes today, or even speak to one of Colonial Surety’s knowledgeable ERISA experts for further support. Visit us now, and end your day with coverages–including your cybersecurity response plan–in hand:
Cyber and Fiduciary Liability Insurance
Good To Know
Referencing an ERISA Advisory Council report, Lisa Gomez, the Assistant Secretary of the Employee Benefits Security Administration has urged plan sponsors to speak with their insurance providers about what their cybersecurity coverage encompasses, and “make sure you are protected there.” Gomez pointed out, for example, “Many employers assume that since the company has cyber liability insurance, they’d be covered in a breach. The fine print in the policy notes that it applies only to the company and not the company in its capacity as a plan sponsor—something not obvious to most.”
Why take chances? Colonial Surety’s plan sponsor protection ensures fiduciary liability coverage for plan sponsors and cyber liability coverage that explicitly covers the business and the plan.
Fiduciary and Cyber Liability Insurance HERE
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.