Under ERISA, Business owners who sponsor 401(k) plans have important fiduciary responsibilities related to the prudent selection and monitoring of service providers. EBSA has now issued guidance to ensure plan sponsors choose service providers who have strong cybersecurity practices.
EBSA’s Tips: Selecting Service Providers
The Employee Benefits Security Administration (EBSA) has recognized the heightened need for attention to best practices in cybersecurity-related to retirement plan accounts—and data. Emphasizing that business owners and fiduciaries are responsible, under ERISA, for the prudent selection and monitoring of service providers, EBSA has released Tips for Hiring A Service Provider With Strong Cybersecurity Practices.
The government’s new Tips, underscore the importance of plan sponsor vigilance when contracting with service providers. Specifically, it is important that contracts explicitly detail how the provider will continuously comply with cybersecurity standards and best practices on behalf of your retirement plan and participants. EBSA stresses that these standards and practices apply to both large and small retirement plans. Contract terms that EBSA recommends for the protection of the retirement plan and participants include:
- Information Security Reporting. The contract should require the service provider to annually obtain a third-party audit to determine compliance with information security policies and procedures.
- Clear Provisions on the Use and Sharing of Information and Confidentiality. The contract should spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information….
- Notification of Cybersecurity Breaches. The contract should identify how quickly you would be notified of any cyber incident or data breach. In addition, the contract should ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach.
- Compliance with Records Retention and Destruction, Privacy and Information Security Laws. The contract should specify the service provider’s obligations to meet all applicable federal, state, and local laws… and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.
- You may want to require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage….
Cybersecurity Support Especially for Small Businesses
Realistically, doing the work of assessing your provider contracts vis a vis the latest governmental guidance, will take you some time. Why not go ahead and boost your risk mitigation plan with Colonial Surety Company’s affordable protection package? The annual premiums of Colonial’s protection packages for retirement plan sponsors are less than what you will pay for even one hour with an expert ERISA lawyer if an unexpected allegation or new compliance issue lands on your desk.
Protect your business—and yourself— today—it’s easy. Colonial’s comprehensive package includes:
- The required ERISA bond which protects the assets of the retirement plan from theft;
- Fiduciary Liability coverage to protect you and your assets from personal liability; and,
- Cyber Liability coverage to safeguard your company and plan from covered losses and expenses in the event of a cyber breach.
Mitigate Your Risks: Be Response Ready
The government’s new guidance puts increased importance on protecting retirement plan data and funds in the cyber era. Confronting the rise in cyber threats, small businesses are generally without access to the services and protections that larger companies are able to put in place. Not having a response plan has resulted in disaster.
Why scramble if the unforeseen occurs? As a leading national provider of ERISA bonds, Colonial Surety Company is helping plan sponsors across the country with affordable Cyber Liabiliity protection. A key feature of Colonial’s Cyber Liability coverage is data breach response services.
In the event of a breach, Colonial provides a dedicated team of experts who assist at every stage of incident investigation and response. Carefully vetted forensic and legal experts establish what’s been compromised, assess responsibility and notify impacted individuals. As needed, call center support, credit and identity monitoring is provided— even public relations experts. Liability protection in the event of covered lawsuits or regulatory actions due to a data breach? Of course, that’s included too.
Get your cybersecurity breach response plan in place quickly, and affordably with Colonial Surety Company: Cyber Liability Protection for Plan Sponsors.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country.