Retirement plan sponsors from small and midsize businesses are challenged by the task of evaluating the cybersecurity procedures and protocols of recordkeepers and other service providers. Experts provide advice about adhering to The Department of Labor’s Cybersecurity Program Best Practices and Tips for Hiring a Service Provider.
Evaluating the Cybersecurity of Providers
Across the industry, retirement plan recordkeepers report ratcheting up cyber security efforts, but smaller businesses are struggling to keep up with the responsibility of regularly assessing the fraud and data controls in use by their service providers. Although fiduciaries of large retirement plans can put staff and business resources behind this duty, those with smaller plans are less able to do so—and find themselves in the dark when it comes to understanding and evaluating the cybersecurity efforts of their providers. As Bloomberg Law reports:
Many small U.S. retirement plan sponsors aren’t evaluating the tech firms they’ve hired to protect user data even with recent U.S. Labor Department guidance and stepped-up enforcement. A Cerulli Associates Inc. quarterly report late last month found that…most small-to-mid-sized plans still don’t have formal written processes for overseeing their recordkeepers’ fraud prevention practices. As the DOL ups its cybersecurity enforcement and litigation emerges, plan fiduciaries become solely responsible for sensitive information about their participants falling into the wrong hands under someone else’s watch.
“The plan fiduciaries are the ones who have the ultimate responsibility to mitigate risk,” said Jeanne Klinefelter Wilson, a principal attorney at Groom Law Group Ctd., who headed the DOL’s Employee Benefits Security Administration under former President Donald Trump. “It’s up to them when they hire someone to keep records and to consider a lot of factors, including cybersecurity.”…Plan sponsors who may lack the training or experience needed to vet another company’s cyber practices are still legally bound to do so.
Even before the release of the DOL’s heightened expectations about the duties of plan sponsors related to cybersecurity, ERISA obligations were among the highest known to law. The reality is, that despite diligent effort, plan sponsors can face allegations of a fiduciary breach. Even defense against allegations of a fiduciary lapse are costly and disruptive, with ERISA lawyers costing over $600 per hour. That’s why it is important to obtain fiduciary liability insurance from Colonial Surety Company. It covers the business—and the plan sponsor—against claims of alleged or actual breaches of duty in connection with the employee retirement plan. Colonial even includes cyber liability insurance along with fiduciary liability insurance—and the annual premium for this comprehensive protection is less than just an hour or two with an ERISA lawyer. Get covered now: Choose Your Plan Sponsor Liability Protection Here.
Ask The Questions
Retirement plans across the country are finding out that the Department of Labor is already working to enforce the cybersecurity guidance that was just issued earlier this year. Be sure to study up on the U.S. Department of Labor (DOL) guidelines for mitigating the risks of cyber threats to retirement accounts. A “tidal wave” of cybersecurity compliance actions is likely to be devastating to small businesses who have not been able to keep up with the guidance—that’s the prediction of industry experts. As Bloomberg Law concludes: “It may not matter that recordkeepers are ramping up their cybersecurity practices if smaller employers who are responsible for their participants’ data and information can’t access the information they need to document it.”
How can plan sponsors from small and mid-size businesses begin to exercise their fiduciary duties related to the cybersecurity protocols of their service providers? Experts, such as Sarah Bassler Millar, a partner at Faegre Drinker Biddle & Reath LLP in Chicago advise asking questions—and documenting responses. As Millar explains: “I think, at a minimum, it’s important to ask the questions,” she said. “We’ve seen this story play out in other areas in the past; when lots of different employers are asking the same questions, it moves the needle for these big recordkeeping firms.”
Cyber Breach Response Plan?
While finding out what all of your service providers are doing to increase the cybersecurity of the retirement plan, do not neglect your own efforts. With Colonial’s help, you can put a cyber breach response plan in place, affordably, today. Remember, a cyber breach is not always a disaster but mishandling it is. In fact, cyber breaches can lead to allegations of fiduciary breaches too. That’s why Colonial Surety’s multi-year protection packages for plan sponsors conveniently come with Cyber Liabiity Insurance. Get covered today and in the event of a cyber breach at your business, experts will identify what’s been comprised and coordinate the response. Liability protection in the event of covered lawsuits or regulatory actions due to a data breach? That’s included too.
Colonial’s multi-year packages provide the greatest convenience and value, ensuring continuous compliance and protection. Packages include:
- The required ERISA bond which protects the assets of the retirement plan from theft;
- Fiduciary Liability coverage to protect you and your assets from personal liability; and,
- Cyber Liability coverage to safeguard your company and plan from covered losses and expenses in the event of a cyber breach.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.