Benefit Management Priority: Cybersecurity


Experts remind employee benefit plan managers that they have increased accountabilities for cybersecurity and must roll up their sleeves to work at the intersections of plan management and technology.


Mind The Gap

Leaders at the FBI’s Cyber Criminal Division share this instruction with companies of every size: “Cybersecurity is primarily a business management problem.”  In other words, although cybersecurity is technical in nature, it is not just another item for the tech team to resolve—it requires strategic leadership and management across the organization. When it comes to benefits, like the employee retirement plan, attending to cybersecurity has fiduciary implications—as laid out in the Cybersecurity Guidance from the Employee Benefits Security Administration (EBSA). Roland Criss offers this guidance about “minding the gaps” between business teams when it comes to ensuring the cybersecurity of employee benefit plans (EBPs):


Since operational management of EBPs tends to fall at the feet of human resources leaders, that executive class requires new skills and methods because technology IS the plan, and technology is the enabler from payroll to processing a plan’s transactions. Yet, the information technology groups of most employer organizations are in a silo far away from fiduciary committees…Most human resources departments select Internet-centric service providers that retain PII and PHI, like recordkeepers and payroll processors, without involving their organizations’ IT units. Prudence demands otherwise! The lines between human resources functions and technology functions are blurring. Therefore, leading human resources executives must look for ways to engage more deeply with their technology peers and embrace that overlooked resource. Doing so will help enlighten EBP plan managers about the difference between a cybersecurity risk management process and the technology that protects internet-connected systems such as hardware, software, and data from cyber threats.

Under ERISA law, any person involved in the management of the employee retirement plan can be held personally liable for a fiduciary breach—and these days, even a seemingly small cyber incident can lead to allegations of a fiduciary breach. Why take unnecessary risks? The annual cost of Colonial’s Cyber and Fiduciary Liability  coverage is less than the fee for one hour of expert legal defense if a lawsuit or regulatory challenge strikes you and your business. Get covered, in minutes, today:

Cyber and Fiduciary Liability Insurance Here.


To Do List

This expert advice on the fiduciary disciplines of governance and controls may help business managers from across functions better understand—and act on—the standard of care expected for the cybersecurity of retirement plans. Additionally, here are five of the cybersecurity action steps for employee benefit plans that Roland Criss suggests:


Cybersecurity Policy

Regardless of an EBP’s size or complexity, the need for a cybersecurity policy statement explicitly written to align with the EBSA’s guidance has escalated to the same level of importance as an investment policy statement maintained by defined contribution and defined benefit plan fiduciaries.


Monitoring Agenda

The agendas of EBP committees should include a permanent entry for monitoring a data security management plan.


Service Provider Management Standards

EBP committees should have written cybersecurity rules for hiring, monitoring, and re-engaging vendors of retirement plan services, healthcare plans, payroll operations, and any other service provider that takes possession of PII or PHI.


Make Cybersecurity Training a Committee Pre-requisite

Get trained on all aspects of the EBSA’s cybersecurity guidance. Also, ask your information technology unit for awareness training in cybersecurity standards such as those promulgated by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”).


Commission an Assessment

Initiate an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment should adhere to independently developed criteria, and a review offers a way to ensure continued improvement.


Another important cybersecurity action step all businesses can cross off their lists in minutes, today, is: putting a cyber breach response plan in place. A cyber breach response plan prevents incidents from spiraling into disasters and is one of the best practices specifically recommended by EBSA. Get your response plan in place immediately with Colonial Surety’s affordable Cyber-Fiduciary Liability  package, which includes:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Now available with a one year commitment, Colonial’s Cyber-Fiduciary Package, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan. Remember, because a cyber breach can quickly spiral into allegations of a fiduciary breach, it’s critical for retirement plan sponsors to have both cyber and fiduciary liability protection. Colonial makes it so efficient and reasonable that you can secure your protection in minutes now:


Cyber and Fiduciary Liability Insurance Here.



Pension plan professional? We’re here to help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liabiity Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.


Insurance for Pension Professionals Right Here.

Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.