Even if the magnitude and omnipresence of cyber threats has had you and your small business frozen like a deer in the headlights, you can get up to speed with expert advice and practical actions today. It’s especially critical to do so if your company sponsors a retirement plan. Here are some practical ways to get moving on cybersecurity.
Review Third Party Cybersecurity Controls
Through it’s Employee Benefits Security Administration (EBSA), the Department of Labor has provided guidance to retirement plan sponsors, which includes best practices for cybersecurity. Becoming familiar with these pointers is essential. Accounting experts at MHM who have studied the guidance, suggest acting on it by conducting a thorough review of the cybersecurity controls in use by third party service providers, such as record keepers. Specifically, this would include:
- Comparing cybersecurity policies and procedures to industry standards, cybersecurity frameworks, and peer companies.
- Asking whether and how the third-party validates its cybersecurity controls and what level of security it has implemented.
- Reviewing the provider’s security history, including ongoing cyberattack litigation and whether they have been victims of past breaches.
- Asking to review a current SOC 2 Type 2 report commission by the third-party.
- Inquiring about whether the provider has insurance that would cover cybersecurity losses of the plans and its participants in the event of a breach or attack.
Experts point out that depending on findings from a review, it might be wise to pursue deeper examination by requesting a Systems and Organizations Controls (SOC) report. MHM also reminds us of the importance of ongoing cybersecurity training for everyone using the retirement plan—including participants: “Plan participants play a role in cybersecurity. It is never too late to offer security awareness training for participants and employees to educate them on the easy steps they can take to prevent unauthorized access to plan data. Phishing strategies and other attack vectors continue to evolve, so regular training is essential to helping everyone understand the changes in the IT security risk environment.”
Plan sponsors will want to maintain careful records documenting all actions taken to keep the retirement plan safe, including training, communications and review of vendor practices. As MHM cautions, actively promoting cybersecurity is a fiduciary obligation for plan sponsors. Specifically, the U.S. Department of Labor reminds us, “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Among the DOL’s recommended best practices for doing so is having a solid cyber breach response plan at the ready. Colonial Surety is here to help with an affordable Cyber-Fiduciary Liability insurance package. It comes complete with a cybersecurity response plan, which includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring and other personal fraud or loss prevention solutions.
In addition to these cyber breach response services, plan sponsors armed with Colonial’s Cyber-Fiduciary Pack, are also covered for defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan. At Colonial, we make it so efficient and reasonable for plan sponsors to secure insurance, that you can do it in minutes, now:
Chaos Versus Preparedness
Prompt response and investigation following a cyber breach is essential—and can prevent an incident from spiraling into a disaster. Of course, following the legally required is resource intensive—and time consuming for small businesses. As experts explain, among other steps, a “root cause” analysis must be undertaken to ascertain weaknesses and notification obligations must be attended to, following state law.
Because most plan sponsors outsource retirement plan operations and administration to service providers, it may be tempting to assume that cybersecurity is the responsibility of these third parties. However, it is critical to ensure that contracts with vendors spell out their actions, expectations and responsibilities related to cybersecurity. EisnerAmper reminds us that, bottom line, plan sponsors have a fiduciary duty to safeguard plan assets, and explains that outsourcing actually heightens the need for vigilant cybersecurity.
Given the enormous responsibilities involved in sponsoring a retirement plan, many plan sponsors find Colonial’s Three Point Coverage Package reassuring. It gives plan sponsors the greatest value and protection, providing:
- the required ERISA bondto protect the assets of the retirement plan from theft;
- Fiduciary Liabilitycoverage to protect you and your assets from personal liability;
- Cyber Liability coverage toensure expert response and safeguard your company and plan from covered losses and expenses in the event of a cyber breach.
Colonial Surety was founded in 1930 and brings deep experience and market expertise to every product and every customer relationship. Colonial Surety gives its customers the assurance that they, their businesses, and their clients are safeguarded with the right surety and insurance products at all times.
We make it easy for a wide range of industries and professions to buy the bonds and insurance products they need. Colonial Surety is a direct and digital insurer offering products through an online platform supported with exemplary customer service. The company gives customers a simple, direct, and instant service that takes the pain out of buying insurance and bonds. Colonial Surety is licensed in every state in the U.S., rated “A” Excellent by A.M. Best, and listed by the U.S. Treasury as an approved surety.