Most plan sponsors outsource retirement plan operations and administration to service providers, making it tempting to believe that cybersecurity is the responsibility of third parties too. Not so fast, say experts, including accountants. Here are insights on plan sponsor responsibilities related to cybersecurity oversight.
Outsourcing: Inherent Risks
Accounting giant EisnerAmper reminds us that, bottom line, plan sponsors have a fiduciary duty to safeguard plan assets, and explains that outsourcing actually heightens the need for vigilant cybersecurity:
Outsourcing elevates cybersecurity risk because of the electronic communications between service providers combined with the sensitivity of the information being shared between parties. Plan sponsors, custodians, record keepers, third party administrators, payroll providers and participants all share personal information in the administration of employee benefit plans. All parties have access to names, dates of birth, Social Security numbers, home addresses, compensation and even sensitive information related to beneficiaries. In the case of health and welfare plans, these parties also have access to private medical information. Any company or service provider that has access to or stores this information is at risk for exposure of sensitive information.
Since plan sponsors must ensure that there is no unauthorized access to information, monitoring how third party service providers protect plan data is a fiduciary responsibility. Toward overseeing the sharing, retention and use of participant data, EisnerAmper recommends plan sponsors to:
- Identify the information collected by service providers.
- Review service provider contracts for a discussion on the use and retention of participant data, any cross-marketing practices and a discussion on each party’s responsibility in the event of a breach.
- Identify any systems used to communicate information to service providers and utilized by service providers requiring consideration of cybersecurity. Confirm the protection of participant information.
- Request cybersecurity policies and procedures from service providers and assess their appropriateness. Inquire on the compliance and/or testing of the effectiveness of these policies and procedures.
- Educate practices with employees on cybersecurity risks, including periodic cybersecurity awareness training.
Cyber Breaches and Fiduciary Breaches?
Yes, breaches in cybersecurity can result in allegations of breaches in fiduciary duties. Even seemingly small incidents can rapidly spiral into disasters. According to the U.S. Department of Labor, “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Among the DOL’s recommended best practices for doing so is putting in place a cyber breach response plan. In fact, ERISA law experts stress the importance of both fiduciary and cyber liability insurance, noting: “Doing without it would be a bad idea since your plan would potentially be exposed to uncapped liability in the event of litigation.”
Colonial Surety is here to help plan fiduciaries from businesses of all sizes: a whole year of our Fiduciary Liability Insurance costs less then just one hour with an ERISA legal expert if disaster strikes—and we even include Basic Cyber Liability Insurance with the policy. Armed with Colonial’s Fiduciary-Cyber Liability Insurance Pack, if you face claims of alleged or actual breaches of duty in connection with the employee retirement plan, you’ll be covered for defense costs and penalty limits up to $1,000,000. Plus, in the event of a cyber breach, your business—and plan—will receive support at every stage of incident investigation and breach response, as well as coverage against lawsuits or regulatory actions related to the breach.
Three Point Plan?
Given the enormous responsibilities involved in sponsoring a retirement plan, many plan sponsors find Colonial’s Three Point Coverage Package reassuring. It gives plan sponsors the greatest value and protection, providing:
- the required ERISA bond to protect the assets of the retirement plan from theft;
- Fiduciary Liabilitycoverage to protect you and your assets from personal liability;
- Cyber Liability coverage to safeguard your company and plan from covered losses and expenses in the event of a cyber breach.
Colonial Surety was founded in 1930 and brings deep experience and market expertise to every product and every customer relationship. Colonial Surety gives its customers the assurance that they, their businesses, and their clients are safeguarded with the right surety and insurance products at all times.
We make it easy for a wide range of industries and professions to buy the bonds and insurance products they need. Colonial Surety is a direct and digital insurer offering products through an online platform supported with exemplary customer service. The company gives customers a simple, direct, and instant service that takes the pain out of buying insurance and bonds. Colonial Surety is licensed in every state in the U.S., rated “A” Excellent by A.M. Best, and listed by the U.S. Treasury as an approved surety.