Yes. When you sponsor a retirement plan, like a 401k, you are automatically a fiduciary, so in the event cybersecurity failures impact the data or savings of participants, you can face fiduciary breach allegations and be held personally liable. Even if you have done nothing wrong, defending yourself is very likely to be costly and disruptive. Read on for clarity on protecting the plan, preventing problems, and protecting yourself.
Access and Opportunity: Broad Attack Surface
At Woodruff Sawyer, Bridget Quinn and Jennifer Schuessler remind us that ERISA retirement plans provide the “access and opportunity” cybercriminals seek when looking for weaknesses to exploit, and underscore: “The digital nature of plan administration and the reliance on third-party service providers create ample access given the broad attack surface.” Though of course retirement plan sponsors can never eliminate the possibility of cyber-crimes, they are obligated to mitigate threats, as Woodruff Sawyer’s legal advisors further explain:
Can a Cybersecurity Failure Be Considered a Breach of Fiduciary Duty? The short answer is yes. A breach of fiduciary duty in the context of ERISA and cybersecurity occurs when a plan fiduciary, such as a plan administrator or trustee, fails to act in the best interests of plan participants by neglecting to protect plan assets and participant data from cyber threats. But the obligation is broad, and it can include failing to implement adequate cybersecurity measures, respond to data breaches, or adequately manage cybersecurity risks.
Given that most retirement plan services are outsourced, one keyway sponsors can uphold their fiduciary responsibilities is through rigor in the selection and monitoring of all plan service providers. Careful attention to cybersecurity in all contracts lays the foundation for a muscular approach to third-party risk management. Quinn and Schluesser advise that all contracts “should include the right to periodic risk assessments, proactive monitoring, and issues management,” and offer these pointers for tuning into cybersecurity before signing off on contracts:
Plans can use the contracting process to incorporate clauses, such as requiring third parties to implement key cybersecurity controls, into legally binding agreements. Management should ensure that contracts with third parties reflect the same level of cybersecurity protection expected within the plan, including contractual provisions such as requiring phishing-resistant multifactor authentication, data classification and encryption, intrusion detection, and independent control reviews. Common provisions include:
- Requiring detailed reports on any internal monitoring performed by the third party (i.e., ongoing audits)
- Identifying a maximum timeline to report a data breach from the date of discovery
- Maintaining a cybersecurity program and policy
- Updating and testing the business continuity plan
- Encrypting all critical data
- …. An often-overlooked element is the insurance requirements. Requiring cyber insurance with adequate limits as well as an errors and omissions policy that would respond to a failure to safeguard data is necessary.
participants from identity theft, h
Because the selection of third-party service providers is ultimately a plan sponsor decision, the sponsor remains responsible for robust and frequent oversight throughout the duration of the contract. During cybersecurity monitoring, key questions about plan data need to be addressed, such as:
- Who has access to the data?
- What type and volume of data are being shared?
- How is the information being shared?
- Where is the data stored?
- Is data at rest encrypted?
Guidance from the Department of Labor specifically directs retirement plan sponsors to monitor the cybersecurity practices of every third party servicing the retirement plan. For further help doing so, visit the Spark Institute, which provides specific examples for discussing cybersecurity controls with service providers. Even while addressing the expectations around cybersecurity, it is critical for plan sponsors to also recognize that lawsuits on behalf of plan participants are on the rise following cyber breaches:
After a hack impacting an ERISA plan’s assets or data, plan participants increasingly respond with litigation. Their targets can include the employer that sponsors the plan, plan administrators, and other fiduciaries. These suits can involve serious allegations, including breaches of the fiduciary duties ERISA imposes, for alleged failures to maintain adequate cybersecurity measures. The plaintiffs’ bar representing participants in such lawsuits is specialized and opportunistic…. Plan sponsors can therefore find themselves targeted by lawsuits questioning their fiduciary practices. As these lawsuits continue, and as the theories pursued in litigation continue to evolve, fiduciaries should understand that their data security practices (and their supervision of the data security practices used by the service providers they hire) could become the subject of litigation.
Colonial Surety Company offers an efficient, affordable and clear solution to help retirement plan sponsors manage their personal and business risks. Obtain protection for your company, your plan and yourself, as a retirement plan sponsor, for a few dollars a day with our Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Colonial’s Cyber Liability+ Fiduciary Liability Insurance addresses numerous DOL recommendations, explicitly covers the retirement plan and the business, and includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Obtain your retirement plan sponsor protection online in minutes now:
Cyber Liability Insurance+Fiduciary Liability Insurance
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.