Retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes the implementation and periodic review of contractual protections in arrangements with their plans’ third-party administrators (TPAs).
Most contracts prepared by TPAs for recordkeeping and related services do not provide adequate contractual protections relating to data security. Typically, the TPA’s form contract contains minimal or no protections and, in some cases, there are more obligations imposed on the plan sponsor relating to data security (e.g., protection of personal identification numbers of plan participants) than on the TPA. Indeed, a literal reading of the general indemnification provisions of some form contracts would require the plan sponsor to indemnify the TPA against losses arising from a cybersecurity breach on the TPA’s systems in the absence of gross negligence or willful misconduct by the TPA.
This is not surprising. Many of the contract forms were developed many years ago before cybersecurity issues attracted significant attention. While TPAs update their forms from time-to-time, it is not in their interest to offer robust contractual commitments in this area. As a result, it is incumbent on plan sponsors to raise the issue with their TPAs and propose appropriate contractual protections.
We recommend that plan sponsors and administrators seek the contractual protections set forth below. The types of contractual protections can be broken down into the following four categories:
1. Protection of data
2. Restrictions on the use and location of data
3. Responses to actual or threatened cybersecurity breaches
4. Liability and risk allocation.
Data Protection Safeguards
The contract should require the TPA to commit to maintain appropriate safeguards for plan participant data. Typically, these commitments include some combination of the following:
- Compliance with TPA Policies – The TPA should commit to comply with its own cybersecurity policies and agree not to materially degrade the level of security reflected in those policies during the term of the contract. Plan sponsors and/or plan administrators should request copies (or at least summaries) of the TPA’s policies and have their internal IT security personnel review them from a due diligence perspective.
- Compliance with Applicable Law – The TPA should commit to comply with all U.S. and foreign data security and privacy laws applicable to the TPA’s services.
- Compliance with Industry Standards – The TPA should commit to meet industry standards relating to data security. For example, the International Organization for Standardization (ISO), which is an international standard-setting body, publishes information security standards codified in ISO 27001 / 27002. It would be reasonable to require that the TPA agree to comply with these standards and maintain ISO 27001 certification.
- Security Audits – The TPA should commit to have a nationally recognized independent third party conduct annual (or more frequent) audits or reviews of the TPA’s cybersecurity practices at facilities used to deliver the services and provide a copy (or at least a summary) of the audit report to the plan sponsor. One of the more common types of audit reports furnished by service providers is a SOC 2, Type II report under Attestation Standards Section 101 published by the American Institute of Certified Public Accountants. The SOC 2, Type II audit addresses the operating effectiveness of the TPA’s controls relating to security, availability, processing integrity, confidentiality and privacy.
With possible exceptions for certain large transactions, plan sponsors and administrators should not expect TPAs to agree to comply with their cybersecurity policies. Recordkeeping and similar services provided by TPAs are “one-to-many” solutions—that is, from a data security standpoint, the solution is generally the same for each client. Plan sponsors and administrators will need to conduct due diligence of the TPA’s cybersecurity practices and procedures to provide a level of comfort that plan participant data is appropriately protected.
Register or login for access to this item and much more
All Employee Benefit Adviser content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access