PLANSPONSOR - February/March 2019 - 63

INSIDE ANGLE
Cybersecurity
Risks Increase
Providers introduce guarantees
A
ll too often there's a new story describing a cybersecurity
incident exposing the personal, identifiable
information of millions of individuals to identity
theft and fraud. As it is painfully obvious to those of us in the
retirement industry, cyber threats provide an incredible danger
to plan assets. Today, it is almost universal that plan sponsors
and service providers store information electronically as
opposed to on paper. While storing information electronically
provides enormous benefits and cost savings for the industry,
it creates a clear and immediate risk of losing plan assets
through cyber breaches.
While cyber risks are ever increasing, there is no comprehensive
legal framework for dealing with these issues, as no one
federal law governs cybersecurity for plans or service providers.
Instead, there exists a patchwork of state and federal laws and
regulations, including the Gramm-Leach-Bliley Act and the
Employee Retirement Income Security Act (ERISA).
In 2016, the ERISA Advisory Council stated that there is
no single approach to avoiding the risk related to cyber incidents.
However, the council did note that sponsors and fiduciaries
should understand, among other things, where plan data
is held, how it is stored and secured, the length of the retention
period, what persons have access to the data, and how the data
is accessed and transmitted.
The issue has also recently drawn the attention of Capitol
Hill. In a letter dated February 12, Representatives Robert Scott
and Patty Murray asked the Government Accountability Office
(GAO) to address several questions related to cybersecurity
risks and the U.S. retirement system. Among other representatives,
Scott and Murray requested that the GAO address: 1) what
potential threats cyberattacks pose to U.S. retirement plan data;
2) what steps plan service providers should take to ensure they
protect plan data from these threats; 3) what steps plan sponsors
should be required to take in the event of a data breach;
and 4) what are possible legislative or regulatory options to
bolster the protection of data and accounts of retirement savers.
In the absence of clear guidance, plan sponsors have begun
to review their plan's own security measures, as well as how
the plan communicates with participants about ways to protect
their data. Similarly, service providers have adopted safeguards
and protocols to avoid succumbing to a cyber breach. However,
some service providers have been unwilling to share their
protocols with sponsor clients for fear that could expose their
system to future attacks.
Even with these measures, it has become increasingly
common for plan data to be stolen, resulting in losses to plan
participants. These losses frequently occur without evidence
that the service provider, plan fiduciary or participant is at fault.
Thus far, service providers have been willing to cover the cost of
a cyber breach, even though they were not negligent or in breach
of contract, in order to avoid reputational risks associated with
such losses. That may soon be ending. Given the potential losses
associated with retirement savings, service providers have begun
to reassess whether they should cover the loss where they were
not at fault.
Recently, some plan service providers have introduced
so-called " cybersecurity guarantees, " which state that the provider
will cover plan losses attributable to cyber incidents only to the
extent that the plan and participants adopt and implement the plan
recordkeeper's latest enhancements to thwart cybercriminals. In
other words, where there is evidence that the acts or omissions
of the plan sponsor or a participant enabled the occurrence of a
breach, a service provider may be unwilling to reimburse the loss.
These new contractual provisions often include requirements
that the plan sponsor adopt a communications campaign
or that the participant agree to two-factor authentication before
engaging any transaction involving the plan. Thus far, plans
have not adopted these policies en masse due to concerns that
additional safeguards will lower plan engagement. However,
that concern has become increasingly less common as awareness
of cyber threats has grown.
Whether cybersecurity guarantees will work remains to be
seen. We think they are a step in the right direction. While these
policies could help delineate the responsible party and further
highlight the need for prudent cybersecurity practices, there
still will be instances where plan participants, through no fault
of their own, suffer plan losses not covered by the guarantee.
We also expect that cybersecurity will continue to be an area of
focus and continued consternation for both the retirement plan
marketplace and regulators.
Stephen Saxon is a partner with Groom Law Group,
Chartered, in Washington, D.C. George Sepsakos, a principal
with Groom, contributed to this article.
PLANSPONSOR.com February - March 2019 63
http://www.plansponsordigital.com/plansponsor/february-march_2019/TrackLink.action?pageName=63&exitLink=http%3A%2F%2FPLANSPONSOR.com
PLANSPONSOR - February/March 2019

Table of Contents for the Digital Edition of PLANSPONSOR - February/March 2019
