Attorneys specializing in ERISA law are carefully monitoring several cases currently winding their way through the courts: decisions are likely to establish precedents related to the fiduciary responsibilities associated with cybersecurity. Plan sponsors are urged to be ready to defend the “prudent procedures” put in place to protect participant data and assets.
Although most retirement plans outsource to third parties, sponsors retain fiduciary liability for oversight. As plan participants press to recover lost funds, decisions that emerge from cybersecurity litigation may ultimately expand the scope of fiduciary liability. Experts at The Wagner Law Group remind retirement plan sponsors:
DOL guidance indicates that the duty to monitor a service provider requires a plan fiduciary to review the service provider’s performance; review any reports it provides; check the fees charged; ask about its policies and procedures; and follow up on participant complaints. In the context of cybersecurity, the DOL has provided additional, more specific guidance, suggesting that the plan fiduciary specifically require the recordkeeper’s cyber and other protections for plan data and assets to be consistent with the plan’s own policies and procedures.
Until regulatory and judiciary guidance clarifies as to whether or how the duty to monitor TPAs and/or recordkeepers applies in the context of cybersecurity protection and/or identity verification, plan sponsors and fiduciaries should enact policies and procedures that assume the fiduciary obligation to monitor will be applicable to them.
Although to date there has been “limited regulatory and judicial guidance as to what basic procedures are required,” pending court rulings could shine the spotlight on fiduciary breaches associated with cyber incidents. In other words, fiduciaries are under scrutiny based on what preventative measures have been put in place—and monitored—toward increased cybersecurity. With cases playing out in court in real time, attorneys urge:
It is absolutely vital that plan fiduciaries, TPAs, and recordkeepers implement prudent procedures for the maintenance of personal information, and in the distribution process, that would ensure that a participant’s identity could be verified for important changes in the participant’s identifying information, and for large or unusual distribution requests.
Best practices, which may evolve over time, could include:
- sending verifications of any change to personal information held with the plan or recordkeeper to the participant’s phone and/or email in real time (rather than in a writing by mail);
- using two-step authentication practices that require a participant to answer security questions and/or provide other information uniquely in the hands of the participant; and/or
- requiring a participant, in order to receive a distribution from a plan, to provide to the custodian bank a driver’s license or other proof of identification uniquely held by the participant.
Despite great diligence, plan sponsors can never fully eliminate the threat of a cybersecurity breach—or the associated risk of fiduciary breach allegations. That’s why Colonial Surety is here to help with affordable Cyber+Fiduciary Liability Insurance.
With this protection, for a few dollars a day, you’ll have coverage for defense costs and penalty limits up to $1,000,000 if faced with alleged or actual breaches of duty in connection with the employee retirement plan. Cyber Liability coverage is included at no extra cost, providing additional protection against regulatory actions related to data and privacy, as well as expert response services.
The Future’s Coming
New ways to better protect data and accounts are emerging. For example, poor password hygiene is likely to get a boost as passkeys gain traction. As Wirecutter reports, “passkeys are the future”:
The login process will standardize over time, and passkeys are expected to be implemented more seamlessly over the next year or so. When they work correctly, it feels a little like magic: The login process is smooth and fast, and account creation is less cumbersome than it is with usernames and passwords. There’s no real downside to trying out a passkey login when you come across one, and if you’re willing to put up with a little troubleshooting, you’ll be on the edge of what feels like an inevitable change.
It will take some time for passkeys to become the new normal, so don’t forget to make the best use of what you already have, such as the Department of Labor’s Cybersecurity Guidance, which explicitly directs plan sponsors to check on the cybersecurity protocols of all service providers. Legal experts additionally advise retirement plan sponsors to put cyber breach response plans in place and adhere closely to all of the other Cybersecurity Program Best Practices prescribed by the Department of Labor. Across the country, plan sponsors and their third party administrators are getting expert response plans in place quickly and efficiently, via Colonial Surety’s affordable Cyber+Fiduciary Liability Insurance, which, along with defense costs and penalty limits up to $1,000,000, also includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Obtain your DEFENSE, efficiently and affordably today:
Pension plan professional? Colonial can help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liabiity Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.