PLANSPONSOR - April/May 2018 - 86

ERISA EXAMINATION
Cyber Risks
G
Electronic recordkeeping raises concerns
one are the days when plan records were all maintained
on paper. Now, most are kept electronically by
the employer, recordkeeper, trustee and/or third-party
administrator (TPA). Online access to plan records can help facilitate
retrieving and retaining participant information, as well as
in generating reports.
In the world of smart phones and increased technology,
participants expect to have instant electronic access. But electronic
recordkeeping also raises cybersecurity concerns. Cyber
breaches and hacking incidents appear in the news on a regular
basis. Plans are not immune to this risk. Cyber breaches with
respect to plans can result in improper access to personal information
and to plan assets.
So what does this mean for the plan committee? The
Employee Retirement Income Security Act (ERISA) regulation
governing electronic disclosure of plan communications
requires that plan fiduciaries take " appropriate and necessary "
steps designed to make sure the electronic system for
providing plan information protects the confidentiality of
personal information and includes measures designed to
prevent unauthorized access to it. Thus, the committee has
an obligation to protect participant information provided
through an electronic system.
But let's be realistic. There is no foolproof way to guarantee
a plan's information will not be the subject of a cyberattack.
As with other fiduciary obligations, the key becomes acting
prudently and taking reasonable steps based on all of the facts
and circumstances.
Plan fiduciaries can, and should, take steps designed to
protect participant data. This means reviewing and considering
the employer's records system protections as well as gathering
information and representations regarding cybersecurity
protections implemented by the plan's service providers. The
committee should ask service provider candidates about their
cybersecurity policies and protections during the request for
proposals (RFP) process.
Additionally, on a periodic basis-perhaps annually-the
committee should ask its current service providers for updates on
their: cybersecurity policies; compliance with policies; whether
any security breaches have occurred; and procedures for mitigating
a breach should one happen.
In 2016, the ERISA Advisory Council issued the report
86 PLANSPONSOR.com April-May 2018 Art by Joseph Ciardiello
" Cybersecurity Considerations for Benefit Plans " to the secretary
of Labor. The council recognized the significant cyber risks associated
with plans, given the amount of data maintained electronically-names,
birthdates, Social Security numbers, addresses,
account balances, etc.-and recommended steps to take in the
ongoing process of managing cybersecurity risks. The council
noted that any cyber-protection strategy should be specific to a
particular plan, but, generally, some steps to take include the
following:
* Implementation and monitoring. Someone should be
responsible for implementing and monitoring the plan's cybersecurity
strategy.
* Testing and updating systems. Establish the frequency and
type of testing.
* Reporting. Reporting is critical to ongoing monitoring.
* Training. Individuals with access to plan data should
understand and be aware of cyber risks.
* Controlling access. It's important to know who has access
to plan data and limit that to only those who need it to perform
plan functions.
* Data retention and destruction. Consider destroying information
when it's no longer needed-but not too soon; there are
ERISA and Internal Revenue Code (IRC) rules regarding document
retention (let's save that for a future article).
* Third-party risk management. The committee should
understand the plan's service provider systems and security
protections.
Developing a cybersecurity strategy that takes these points
into consideration can go a long way toward protecting participant
data. The committee may also consider purchasing insurance,
as more and more insurance carriers now offer cybersecurity
insurance. In any event, plan committees should not ignore
cybersecurity risks to plan data and assets.
Taking steps to consider and implement a cyber-riskmanagement
strategy internally and with respect to the plan's
service providers may not mean the plan will never be hacked,
but it is evidence that the committee is acting reasonably and
prudently concerning the plan's electronic data.
Summer Conley is a partner in the Los Angeles office of
Drinker Biddle & Reath LLP. Michael Rosenbaum is a partner
in the firm's Chicago office.
http://www.PLANSPONSOR.com
PLANSPONSOR - April/May 2018

Table of Contents for the Digital Edition of PLANSPONSOR - April/May 2018
