Three Levels of Responsibility: Cybersecurity


Though we all know cyber threats are out there and we are in some way responsible for the protection of the retirement plan, we are not always clear on the specific kinds of actions that are helpful—and expected. Experts offer pointers on three areas of responsibility for plan fiduciaries.



Percy Lee, an employee benefits law attorney with Ivins, Phillips & Barker has observed that plan fiduciaries are receiving document requests and questions about cybersecurity from the Department of Labor (DOL) with increased frequency. Summer Conley, a partner with Faegre, Drinker, Biddle and Reath, concurs, noting “cybersecurity has become one of the DOL’s priority items, with its regulators asking a laundry list of cybersecurity questions during investigations.” According to Conley, it’s imperative for retirement plan fiduciaries to not only address cybersecurity when choosing a service provider, but also to “add a cybersecurity review to their annual work plan, like they do with investment reviews.” Essentially, experts advise focusing on cybersecurity at these three levels:


  1. The choice of service providers;
  2. The plan sponsor’s internal policies; and,
  3. The communications about cybersecurity for participants.


If you are not sure what to ask about or look into when choosing and reviewing providers, a good starting point is the Department of Labor’s guidance, which specifically includes questions to ask providers, tips about best practices and even information to share with participants about their role in protecting their accounts. Recommended questions to ask third party service providers include: “What has the provider’s record been? Has it experienced any breaches? What is its plan in case of a breach? How would a breach be reported? And what technical certifications do staff members have in cybersecurity?”


Experts also remind plan fiduciaries that vigilance about the protocols of service providers is not only important when choosing providers—but continuously: “Where many fiduciaries come up short is the fact that the relationship with the major recordkeepers has become routine…Have these cybersecurity conversations with them not just at renewal time, but also on a periodic basis.” One tactic for doing so is to invite service providers “to make a presentation about their cybersecurity protocols once a year…That will be part of your minutes and be well-documented in case of an audit…”


Of course no matter how diligently retirement plan fiduciaries work to address cybersecurity, they can never fully eliminate the possibility of a breach. Similarly, plan fiduciaries can never fully eliminate the risk of being held personally liable for fiduciary breaches. Under the high standards of ERISA law, even a relatively small cyber incident can rapidly spiral into allegations of a fiduciary breach. Why take unnecessary risks? Colonial’s ERISA Protection Package includes both Fiduciary and Cyber Liability Insurance—providing:


  1. Legal defense and coverage for penalties against claims of alleged or actual breaches of fiduciary duties.
  2. Defense against lawsuits and regulatory actions related to a cyber breach.
  3. Expert-led response, notification and crisis management services to prevent a cyber incident from spiraling into a disaster.


The  annual cost  of our ERISA Protection Package  is less than the fee for one hour of expert legal defense if a lawsuit or regulatory challenge strikes you and your business. Let’s get you covered, in minutes, today:

Cyber and Fiduciary Liability Insurance Here.


Good To Know-and Do

Among the DOL’s recommended best practices for mitigating cybersecurity risk is having a cyber breach response plan that prevents incidents from spiraling into disasters. Colonial Surety makes it easy and affordable for even small businesses to put a cyber response plan in place—immediately. In fact, an extensive cyber response plan is included in Colonial’s  Cyber-Fiduciary Liability package, providing:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Colonial’s Cyber-Fiduciary Package, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan.  At Colonial, we make it so efficient and reasonable for plan sponsors to secure insurance, that you can do it in minutes, now:

Cyber and Fiduciary Liability Insurance Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.