Since the Department of Labor issued Guidance in 2021 directing retirement plan sponsors to monitor the cybersecurity protocols in use by service providers, there has been a great deal of confusion about what exactly this responsibility entails. Experts offer a “base of communication” to help plan sponsors engage appropriately.
Protection Against Cybercrime
The SPARK Institute, an advocate for protecting retirement plans from cybercrime, reminds plan sponsors and record-keepers, “The threat of retirement account take-overs and fraud is on the rise — and will only increase — as criminals actively target retirement savings.” Toward protection, the DOL’s Cybersecurity Guidance issued the expectation that plan sponsors monitor the cybersecurity practices of all service providers. However, a gap exists in a shared understanding about what exactly constitutes a cybersecurity breach and this impedes plan sponsors from engaging in the appropriate communications with service providers. Toward a shared foundation for better understanding what is meant by “security breach,” the Spark Institute offers this definition:
A security breach is a confirmed compromise of an information system within the authority or responsibility of the record-keeper that results in:
- The unauthorized acquisition, disclosure, modification or use of unencrypted personal data or encrypted personal data where the encryption key has also been compromised.
- A likely risk of identity theft or fraud against the data subject. A good faith but unauthorized or unintentional acquisition, disclosure, modification or use of personal data by an employee or contractor of the record-keeper or a party who has signed a confidentiality agreement with the record-keeper does not constitute a security breach if the personal data is not subject to further unauthorized acquisition, disclosure, loss modification or use.
Although these definitions “do not supersede” state or federal laws, or guarantee the prevention of data breaches, they do provide a shared starting point for plan sponsors and record-keepers to engage in conversation about “mutually agreed upon contractual protections.” These examples of common security breaches also prepare plan sponsors for clear and productive communication:
Attack—A successful attack on a record-keeper’s network or information system that results in unauthorized acquisition of participant records.
Intrusion—An intrusion into a record-keeper’s external cloud account that results in the attacker acquiring unencrypted personal data.
Lost unencrypted laptop—The loss of an unencrypted laptop that stores personal data when it is likely that the loss may result in identity theft or fraud.
Data file loss—A data file provided by the record-keeper to a third party who has not signed a data confidentiality agreement when it is likely that the loss may result in identity theft or fraud.
In addition to the ongoing monitoring of cybersecurity practices associated with retirement accounts, the DOL’s Cybersecurity Guidance also emphasizes the importance of having a cyber-breach response plan at the ready. Since it is impossible to guarantee cyber breaches will not occur, response plans are essential—and make the difference in whether or not a cybersecurity incident spirals into a disaster. Plan sponsors across the country are putting expert response plans in place quickly via Colonial Surety’s affordable Cyber-Fiduciary Liability package, which includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Now available with just a one year commitment, Colonial’s Cyber-Fiduciary Package, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan. Since a cyber-breach can quickly spiral into allegations of a fiduciary breach, it’s critical for retirement plan sponsors to have both cyber and fiduciary liability protection. Colonial makes it so efficient and reasonable that you can secure your protection in minutes now:
Pension plan professional? We’re here to help you make sure your plan sponsor clients have the coverage they need—and we’ve got you too. From Errors and Omissions Insurance to Fiduciary Liability Insurance, Employment Practices Liability Insurance–and more, we’re HERE with the coverages pension professionals need to keep the business going—and growing.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.