From McKonly & Asbury
In recent years, employee benefit plans (EBPs) and their service providers have fallen victim to cyber schemes to steal participant data, make fraudulent transfers of participant assets (through direct transfers and fraudulent plan loans), and carry out ransomware attacks. Why are EBPs so vulnerable to this type of cyber activity? Here are a few of the most compelling reasons:
- EBPs operate in a highly electronic environment. Electronic benefit plan information includes large amounts of sensitive employee information that is shared with multiple third parties, including outsourced service organizations that also maintain and electronically share sensitive employee and asset information.
- EBPs often fall outside the scope of a sponsor organization’s cybersecurity planning with regard to ongoing business activities.
- Unlike other businesses that handle personal information, EBPs are not regulated for cybersecurity purposes.
- Plan sponsors and administrators may be under the false impression that anti-virus and anti-spam software adequately protect them from these risks.
- Plan sponsors and administrators may believe that their service organization SOC 1 reports address cyber risks at the service organization when, in reality, they do not.
How Plan Fiduciaries Can Protect Plan Information from Cyberattacks and Respond to Data Breaches
In the EBP world, it is common knowledge that ERISA requires benefit plan sponsors and other fiduciaries to administer their plans for the exclusive benefit of plan participants and beneficiaries, and with the “care, skill, prudence, and diligence under the circumstances that a prudent person acting in a like capacity and familiar with such matters would use.” However, plan fiduciaries also have a duty with respect to the management of the plan – and this includes implementing processes and controls to restrict access to a plan’s systems, applications, and data (including third-party records and other sensitive information). Plan sponsors must also understand how their service providers store and protect the participant data they handle. According to the DOL ERISA Advisory Council Report, Cybersecurity Considerations for Benefit Plans, if (or when) a cybersecurity breach occurs, plan sponsors should have a plan in place for addressing the breach. Specifically:
- The plan should establish procedures for how the sponsor and its service providers will communicate with plan participants who may be worried about the breach and protecting their data.
- Sponsors should have a process for determining how a breach will be corrected and what remedies will be used.
- Sponsors should document both their overall process for responding to cybersecurity breaches and any steps they take in correcting an actual breach. This documentation will help show that they acted prudently in the face of the breach.
- Sponsors should vet their service providers and negotiate contract provisions to lower or mitigate the costs of correcting a possible cyberattack on a plan.
- Sponsors should review and understand the limitations of their business insurance coverage, and consider cyber insurance to address possible coverage gaps.
Additional Cybersecurity Considerations When a Third-party Service Provider is Used
Many plan sponsors use third-party service providers such as plan administrators, actuaries, auditors, trustees, insurers and consultants for plan management and administration. These providers regularly collect and maintain sensitive employee data, such as SSNs, addresses, dates of birth, account balance information, beneficiary information, and bank account details in order to deliver their services. Some service providers also maintain systems that allow employees to initiate transactions online, such as obtaining loans and/or account withdrawals. Given this, a cybersecurity breach within a service provider could result in participants’ identities, personal information, or plan assets being compromised. Plan sponsors should have discussions with the plan’s third-party service providers regarding policies and procedures relating to data security, including passwords, use of social media, document retention, internet privacy, and other relevant issues. Plan sponsors should also understand the providers’ procedures for breach notification, including any obligations they may have to notify participants or governmental authorities. This information can be obtained through discussions with those providers and by reviewing the service provider agreements.
Does a SOC 1 Report Address a Plan’s Internal Control over Cybersecurity Controls and Risk?
For plans that utilize service organizations for most (or all) of their electronic records and investment transactions, a common misconception may be that those plans have relatively little cybersecurity risk if the service organization’s SOC 1 report identifies no issues. However, a SOC 1 report addresses only a plan’s internal control over financial reporting; it does not address broader entity cybersecurity controls and risk. A SOC 2 report, on the other hand, specifically addresses the cybersecurity controls and risks in the system used by the service organization to provide such services to the plan. The report may also address controls relevant to the service organization’s ability to maintain the confidentiality or privacy of the information processed by the system. As such, a SOC 2 report can help plan management assess and manage risks associated with outsourcing a function to a service organization by providing information about the effectiveness of controls at the service organization and how those controls integrate with the plan’s controls.
Effective Practices and Policies to Protect Against Cyberattacks
To help plans address their cybersecurity risks, the DOL Advisory Council Cybersecurity Report (discussed above) included information for plan sponsors and fiduciaries to utilize when developing a cybersecurity strategy and program. The report identified four major areas that sponsors and fiduciaries should focus on:
- Data management – Protect and control data
- Technology management – Maintain up-to-date technology
- Service provider management – Perform due diligence on plan data security of service providers
- People issues – Properly train and manage personnel
The report also includes information for plan sponsors to assist them in establishing a cybersecurity strategy for employee benefit plans and contracting with service providers, as well as a list of resources for plan sponsors and service providers that addresses considerations for managing EBP cybersecurity risks. We encourage you to review the report and use it to strengthen your organization’s cybersecurity practices, particularly as they relate to your EBPs.