Best Practices: #9 and #12



While it is necessary for retirement plan sponsors to follow all of the cybersecurity best practices prescribed by the Department of Labor, numbers 9 and 12 on the list hold particular importance: following them can prevent incidents from sky-rocketing into disasters. Here’s what you need to know—and do.


Obligated To Mitigate Risks

The Department of Labor’sCybersecurity Program Best Practices” opens with this message: “ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Accordingly, the Best Practices are intended for use by retirement plan service providers—and “for plan fiduciaries making prudent decisions on the service providers they should hire.” Plan sponsors—that means us!


Though of course all the items on the DOL’s Best Practice list require attention, #9 and #12 are noteworthy in that by carefully attending to them, plan sponsors—and their service providers—can prevent cybersecurity incidents from spiraling out of control. Naturally, even the most diligent approach to cybersecurity cannot guarantee incidents will be avoided: therefore, a thorough protocol for cybersecurity includes anticipation that breaches will occur—and an action plan that kicks in when they do. Specifically, the DOL Best Practice list states:


#9: Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.


#12 Appropriately respond to any past cybersecurity incidents.


Indeed, whenever there is a cybersecurity incident, no matter the size, swift, appropriate and expert response makes all the difference, both for the business and for the protection of all the retirement plan participants. The DOL offers this specific guidance:


Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data. The core components of a program include the Business Continuity Plan, Disaster Recovery Plan, and Incident Response Plan.


  • The Business Continuity Plan is the written set of procedures an organization follows to recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels following a disruption.
  • The Disaster Recovery Plan is the documented process to recover and resume an organization’s IT infrastructure, business applications, and data services in the event of a major disruption.
  • The Incident Response Plan is a set of instructions to help IT staff detect, respond to, and recover from security incidents.


Cyber Breach Response Plan

Having a cyber breach response plan is a best practice which the DOL specifically details. Given the various access points for the plan, within the sponsor’s business and among service providers, as well as by participants themselves, the role an expert response plan has in protecting participants—and fiduciaries—cannot be overstated. When it comes to having a response plan at the ready, the DOL specifies these practices:


When a cybersecurity breach or incident occurs, appropriate action should be taken to protect the plan and its participants, including:


  • Informing law enforcement.
  • Notifying the appropriate insurer.
  • Investigating the incident.
  • Giving affected plans and participants the information necessary to prevent/reduce injury. Honoring any contractual or legal obligations with respect to the breach, including complying with agreed upon notification requirements.
  • Fixing the problems that caused the breach to prevent its recurrence.


Across the country, plan sponsors are getting expert response plans in place quickly and efficiently, via Colonial Surety’s affordable Cyber-Fiduciary Liability package, which includes:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Now available with just a one year commitment, Colonial’s Cyber-Fiduciary Package, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan. At Colonial, Cyber Liability coverage goes hand in hand with Fiduciary Liability coverage because under the high standards of ERISA law, a cybersecurity breach can rapidly escalate into fiduciary breach allegations. Colonial makes it so efficient and reasonable for retirement plan sponsors to secure protection that it can be done in minutes, today:


Cyber and Fiduciary Liability Insurance Here.


Good To Do

Consistently educating employees and plan participants about password hygiene is another important cybersecurity action step for plan sponsors. In fact, retirement plan sponsors are specifically advised to ensure the Department of Labor’s Online Security Tips are communicated to all plan participants—and keep careful records of their efforts to disseminate this information. Users (aka all of us) are often the weakest link in the cybersecurity plan. That’s why experts, like Allison Dirksen of Voya Financial say, “We consistently provide our employees and partners with information and educational tips and trainings about potential fraud schemes and how to protect themselves, the company and our customers….”


Protection is always best practice too. Why take chances that everyone with access to the retirement plan will always do the right thing? The annual cost of Colonial’s Cyber and Fiduciary Liability Package is less than the fee for one hour of expert legal defense if a lawsuit or regulatory challenge strikes. Plan sponsors: cover yourself and the business you built, in minutes, now.


Cyber and Fiduciary Liability Insurance Here.



Pension plan professional? Colonial can help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liabiity Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.


Insurance for Pension Professionals Right Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.