There is a lot at stake when a retirement plan suffers a cyberattack, especially given the amount of personal participant data and plan asset information that can be compromised. Plan sponsors of retirement plans subject to the Employee Retirement Income Security Act (ERISA) may be aware of this risk; however, they may not be aware of their fiduciary duties as to cybersecurity.
Under ERISA, plan sponsors must act prudently and solely in the interest of plan participants and their beneficiaries for the exclusive purpose of providing them with plan benefits. If a cyber attack occurs, and plan assets are diverted and misused, then the plan sponsor could be liable for a fiduciary breach on grounds that the plan sponsor failed to satisfy this duty of loyalty and prudence. And the consequences of a fiduciary breach can be quite severe. The plan sponsor could be required to make the plan whole for losses, send breach notifications, provide identity-theft protection service to those affected, and more.
What can a plan sponsor do to avoid a fiduciary breach under ERISA? Here are a few important responsibilities that the plan sponsor should undertake.
Compliance with the Plan Documents
The plan sponsor has a fiduciary duty to follow the documents and instruments governing the plan. While most retirement plans do not contains specific language regarding cybersecurity, there may be policy documents adopted under the plan that address cyber risk-management and that are considered documents governing the plan. The plan sponsor should familiarize itself with such policies and evaluate plan operations to ensure they are carried out in accordance with their terms.
Protection of Electronically Transmitted Participant Information
The Department of Labor (DOL) has issued specific rules regarding the electronic transmission of personal participant information. The rules require that plan fiduciaries take –
“appropriate and necessary measures reasonably calculated to ensure that the system for furnishing documents…protects the confidentiality of personal information relating to the individual’s accounts and benefits (e.g., incorporating into the system measures designed to preclude unauthorized receipt of or access to such information by individuals other than the individual for whom the information is intended).” DOL Reg. Section 2520.104b-1(c)(1)(i). [emphasis added]
To comply with this rule, the plan sponsor should examine its internal technological system that stores and transfers data relating to plan participants and ensure that it is “reasonably calculated” to protect the transmitted information. Also, internal personnel that perform duties related to this system should be educated on their responsibilities to protect the transmitted data. The “system,” however, may involve not only the plan sponsor’s internal technological system but also that of a third party vendor, such as a recordkeeper to a 401(k) plan. In that case, as discussed further below, the plan sponsor will also need to evaluate and monitor the vendor’s operations to ensure that this rule is satisfied.
Prudent Selection and Monitoring of Third-Party Service Providers
The plan sponsor has a fiduciary duty under ERISA to prudently select and monitor service providers. When it comes to cybersecurity, the plan sponsor should not rely blindly on the integrity of the service provider’s operations. The plan sponsor’s fiduciary duty includes a duty to ensure that the service provider has a comprehensive cybersecurity policy in place to protect plan and participant information. The plan sponsor should review the policy for completeness and should also consider how it impacts the plan sponsor’s internal electronic communication processes. Once the service provider is hired, the plan sponsor has a continuing duty to monitor the service provider’s performance, which should include evaluating whether the service provider is complying with its policy.
In addition to reviewing the service provider’s cybersecurity policy and monitoring the service provider’s performance, the plan sponsor should ensure that the service provider agreement includes appropriate contractual protections. There are a number of provisions that should be included, including the following:
- Representation by the service provider that it maintains a cybersecurity policy and agrees to follow it;
- Description of the limitations and restrictions on the service provider’s use of and access to plan and participant data;
- Description of the way in which the service provider will respond to cybersecurity breaches – e.g., notification to plan sponsor, duty to remediate, etc.
- Allocation of liability for cybersecurity breaches and related costs.
There are additional contractual protections that may be needed as well. In describing the allocation of liability for cybersecurity breaches, the main goal should be to allocate as much liability as possible to the service provider that develops and operates the technological systems necessary to carry out plan services. It is advisable to seek the assistance of legal counsel in negotiating the needed contractual protections.
Plan sponsors should be mindful of their fiduciary duties when addressing cybersecurity issues. The plan sponsor can avoid a potential fiduciary breach and protect participant interests by putting appropriate internal cybersecurity safeguards in place and prudently selecting, monitoring and contracting with third-party service providers.