Why plan sponsors need to prioritize cyber security
The potential ramifications for retirement plan sponsors and participants of their record keeper being hacked are almost too scary to contemplate. Fortunately, most record keepers attending the 2017 SPARK National Conference near Washington D.C. on June 1 are already considering how security threats are impacting their business.
That’s a good thing, because getting hacked is almost an inevitability, according to Greta Cowart, an attorney with the Texas-based Winstead firm, who spoke at the conference.
“Breaches will happen, whether it’s someone hacking in, an employee opening the wrong kind of attachment, or some other employee misstep,” she warned attendees. And when they do, the regulatory ramifications can be as complex as the reputational damage to all parties involved will be great, Cowart said.
One of the challenges from a compliance standpoint is that the pace of information technology development has vastly outstripped laws and regulations governing hacking scenarios.
Legal liability sources
Potential liability for all parties involved, in principle including plan sponsors, can originate from common trust law with its standards for fiduciary behavior, including protecting the privacy of trust beneficiaries. State laws mandating protection of confidentiality of employee Social Security numbers, accounting industry standards for management control of cybersecurity and reporting of breaches, all come into play.
Parties to the breach could also face liability under “private rights of action recognized in case law,” Cowart warned.
And in a ransomware scenario in which record keepers (and, by extension, plan sponsors) are unable to access participant data in order to furnish them with required routine ERISA notifications, sponsors could be cited for violating Department of Labor and IRS regulations. For example, a failure to provide a DC plan participant a quarterly or annual account statement could result in up to a $110 per day per participant fine.
Checking on vendors
Basic recommended data security measures, according to Cowart, include secure file transfer protocols, encryption, security monitoring and secure websites. She also offered a checklist of procedural data security steps, including:
· Ensure that vendor due diligence assesses vendors’ security practices and procedures, including relevant hiring practices,
· Review vendor software and IT operations from a security and monitoring perspective, and
· Including personal information privacy protection guarantees in vendor contracts.
In addition, Cowart’s co-president, Segal Co. Vice President of DC Services Wendy Carter, spoke to the role of cyber security insurance. She noted that professional liability policies for trustees generally don’t cover cyber issues. Moreover, the market for cyber-specific coverage is currently at the “wild West” stage, with wide variances in premiums and contract models.
Carter also stressed that most policies provide valuable services independent of specific indemnification for participant, plan sponsor or record keeper financial loss. If, for example, a plan sponsor is responsible for a security lapse and ensuing cyber attack, an insurance policy often will cover:
· Legal advice,
· Forensic services to identity the specific source of the breach,
· Notification of participants and addressing their questions,
· Notification of regulatory authorities,
· General public relations efforts to mitigate organizational reputational damage,
· Credit monitoring services for impacted plan participants, and
· Identity theft remediation.
In addition to gaining a measure of protection, an important benefit of securing cyber liability insurance is having one’s existing cyber security systems reviewed as part of the underwriting process, exposing potential gaps that need to be filled to minimize the risk of a successful attack, Carter said.