Data Protection: Who Has Access?



Given the rapid pace of evolving technology—and today’s litigious environment—benefit industry experts remind plan sponsors that protecting participant data against cybersecurity breaches is an increasingly pressing duty. Since it’s not a matter of “if” a breach will be experienced, but “when,” proactive preparation for a breach is a must.



Understanding how participant data is stored and accessed is fundamental to the security of retirement plans. As Pam Hess, vice president of research at the DCIIA Retirement Research Center, puts it: “At the heart of the matter for plan sponsors is: Who has access to your participant data, and how are you protecting that data? When it comes to a data breach, it’s not a matter of if, but when.” Preparedness begins with studying up on the Department of Labor’s Cybersecurity Guidance, which explicitly directs plan sponsors to monitor the cybersecurity protocols of all service providers, put cyber breach response plans in place and adhere closely to all of the other recommended Cybersecurity Program Best Practices. Plan Sponsor provides these specific examples of the kinds of action it is wise to take:


Plan fiduciaries should document their process in considering the guidance and why the guidance was or was not followed. They should discuss who is responsible if there is a “blameless breach” and ensure all parties are aware. They should clarify the roles of the service provider, the participant, the consultant/adviser, law firm and other stakeholders and document those roles.


During vendor negotiations, it is useful to fully understand the vendor’s history and protocols. Ask if (or when) the vendor has paid out cybersecurity claims. Clearly define “data breach” and notification standards on your plan’s behalf. What are the remediation steps? What remedies are provided to participants? Also, ask about the role and oversight of subcontractors. Finally, it may be worth exploring specialized insurance coverage for cybersecurity liability. Applicants for this coverage will need to demonstrate awareness and implementation of cybersecurity best practices. Unfortunately, coverage may be difficult to obtain and/or expensive, given increasing volumes of cyber-attacks.


Liability insurance is indeed wise, since even with great diligence, plan sponsors can never fully eliminate the threat of a cybersecurity breach—or the associated risk of fiduciary breach allegations. That’s why Colonial Surety is here to help with affordable, easy to obtain Cyber+Fiduciary Liability Insurance. With this protection, for a few dollars a day, plan sponsors have coverage for defense costs and penalty limits up to $1,000,000 if faced with alleged or actual breaches of duty in connection with the employee retirement plan. Cyber Liability coverage is included at no extra cost, providing additional protection against regulatory actions related to data and privacy, as well as expert response services.


Add on Fiduciary+Cyber Insurance Here



Resources For Plan Sponsors

In addition to reviewing the cybersecurity information provided by the Department of Labor, plan sponsors will find it helpful to know that in the United States, overall cybersecurity resilience efforts are led by the Cybersecurity and Infrastructure Security Agency (CISA). Small and midsized businesses may find CISA’s associated resources especially helpful, since they are typically without the capabilities of larger companies. Experts also suggest: “Plan sponsors may want to consider creating a rolling calendar via which important topics like cybersecurity and participant data are regularly brought up for internal discussion among key stakeholders including HR, finance, legal, IT and communications.”


The Society of Professional Asset Managers and Recordkeepers (SPARK) is a further source of support for plan sponsors.This nonprofit offers many cybersecurity and fraud resources, including a “Plan Sponsor and Advisor Guide to Cybersecurity” on its website. Specifically, SPARK provides a helpful summary, with examples, of “17 control objectives” plan fiduciaries can use to strengthen data security. Another important cybersecurity resource for plan sponsors is Colonial Surety, which includes a cyber breach response plan in its affordable Cyber+Fiduciary Liability Insurance package. Along with defense costs and penalty limits up to $1,000,000, our liability insurance package for plan sponsors includes:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Obtain your DEFENSE, efficiently and affordably today: 

Cyber+Fiduciary Liability Insurance HERE


Pension plan professional? Colonial can help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liabiity Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.


Insurance for Pension Professionals Right Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.