Plan sponsors face continuous challenges with cybersecurity risks and potential disruption to plan operations, which ultimately could impact plan participants. Plan sponsors have a fiduciary duty under the Employee Retirement Income Security Act of 1974 (ERISA) to ensure that participant information and plan assets are protected.
Personally Identifiable Information Susceptibility
Employee retirement plans contain personally identifiable information (PII) – items such as names, dates of birth, social security numbers and addresses – that are susceptible to being discovered by a hacker during a cyberattack. Both plan sponsors and service providers have been the victims of various attacks by hackers to steal PII, fraudulent asset transfers and ransomware attacks.
Duty to Monitor Extends to Data Protection
Most retirement plans use service organizations for their electronic records and transactions. Many plan sponsors believe this means that the risk of a cyberattack is relatively low if the service organization has a SOC 1 report with no reported issues. It is important to note that SOC 1 reports only address internal controls related to financial reporting. Because of this narrow focus, cybersecurity risks may not be addressed. As part of their ERISA “duty to monitor” service providers, plan sponsors are required to understand how service providers store and protect their respective participant data. It is important to have discussions with all service providers utilized within the plan regarding preventive cybersecurity measures.
Insurance Policies Don’t Always Cover Cyber Risks
Companies may also believe that their general commercial insurance policies cover cybersecurity attacks, but that is not always the case. These items are usually customized by your business’ insurance company based on specific needs and industry. Some insurance providers will either create a new policy will provide an add-on to the current policy.
If gaps are found in coverage, leadership may want to consider adding cyber insurance to the policy.
Address Risk Today
There are things that you can start doing now to address cyber risks. This is not a one-size-fits-all approach, varying by company, plan sponsor and nature of retirement plan. Plan sponsors should evaluate their cybersecurity governance plan to ensure alignment with risk tolerance and overall protection of the plan. If plan sponsors do not have a cybersecurity governance plan in place, implementing one as soon as administratively feasible would be advisable. Such an evaluation would include an assessment of:
- Cyber risks and governance structure
- Impact on plan risks and plan’s operational needs
- Compliance requirements to address confidentiality and privacy regulations
- Current contracts and procedures with third-party service providers of the plan
- Training program to develop a culture that integrates cybersecurity into plan processes
- Safeguards and processes to protect systems and data from threats and vulnerabilities
- Mitigation and recovery response plans
- Communication, tracking, and monitoring of goals by the Plan Sponsor.
In addition to the items above, the AICPA’s Cybersecurity Resource Center also provides further information and resources to help organizations assess risks. In recent years, the Department of Labor’s ERISA Advisory Council has also included this as a hot-button item in their discussions and has developed their own recommendations.
The cost of a cyber breach can be substantial when a company is having to detect the extent of the attack and recover and restore the systems that were affected.
According to statistics from the Securities Intelligence branch of IBM, the average cost of a data breach in 2019 was $3.92 million and more than 50 percent of those breaches are caused by malicious or criminal attacks. It is becoming not a matter of if a company or retirement plan will be attacked, but when. This is something that should be addressed sooner rather than later to ensure security, privacy and protection against a cyberattack.
For more information regarding the requirements and duties of employee benefit plan sponsors, email Employee Benefit Plan Practice Leader Anne Morris, CPA.