ERISA and Employee Benefit Plans: Time to Get Serious About Cybersecurity

In 2021, the United States Department of Labor (DOL) issued guidance for fiduciaries to secure their benefit plans in connection with the Employment Retirement Income Security Act (ERISA). When it comes to private retirement and health plans, participant data and/or account assets must be protected under ERISA. But how are fiduciaries and plan sponsors protecting that data and those assets from threat actors in cyberspace?

While many fiduciaries and plan sponsors have improved their cybersecurity posture over the past few years as compliance regulations and requirements for cybersecurity insurance demanded it, they have neglected to appropriately identify risk and adjust their policies to keep up with the ever-evolving threat landscape. A 2020 Cyber Security Risk Report by Aon found that “organizations often have a false sense of confidence regarding data security, particularly when it comes to risk potentially posed by third-party service providers.” In terms of fiduciaries and plan sponsors, this oversight makes them a liability and exposes them to litigation risk and possible non-coverage if their cybersecurity insurance providers can prove that they have failed to properly safeguard and protect participant data.

Legal Considerations

Qualified plans face the risk of theft of participant assets or data, necessitating a robust cybersecurity program. Under ERISA, judges assess breaches based on procedural prudence, evaluating fiduciaries and plan sponsors’ adherence to cybersecurity measures, particularly in mitigating third-party risks.

All 401(k) plans must adhere to procedural prudence standards, mandating fiduciaries and plan sponsors to exercise care, skill, and diligence akin to prudent professionals in similar circumstances.

With approximately $9.9 trillion in retirement account assets, benefit plans attract threat actors, highlighting the importance of risk assessments for fiduciaries and plan sponsors. These assessments identify threats, evaluate likelihoods, and gauge impacts, informing adjustments to the cybersecurity program.

A 3-Step Cyle of Assessment, Mitigation and Education

1. Assessment and Team Formation

• Define, document, and assemble a team of stakeholders from key departments such as HR, IT, Finance and Risk Management
• Consider external assistance for risk assessment and analysis, involving legal counsel or compliance to mitigate legal or compliance exposure.
• Identify threats across various categories and assess their likelihood and impact to determine overall risk.

2. Policy Review and Gap Analysis

• Review current cybersecurity policies and procedures to identify internal and third-party vendor gaps.
• Ensure thorough understanding of data access and security measures, both at rest and in transit.

3. Education and Vigilance

• Educate staff on cybersecurity threats through regular security awareness training.
• Conduct phishing simulations and exercises to gauge effectiveness.
• Implement annual cybersecurity awareness training, incorporating real-world scenarios.

This continuous cycle of assessment, mitigation, and education aims to safeguard plan assets and data effectively.

Cybersecurity Best Practices

Fiduciaries and plan sponsors can improve their cybersecurity posture in addition to assessing, mitigating, and educating themselves.

Conclusion

In conclusion, the threat landscape of the Employee Retirement Income Security Act (ERISA) and Employee Benefit Plans (EBPs) underscores the critical need for fiduciaries and plan sponsors to prioritize the protection of plan data. The increasing sophistication of cyber threats demands a proactive and holistic cybersecurity strategy, encompassing the three-step cycle of assessment, mitigation and education. By adhering to this approach and implementing key practices such as incident response planning and managing third-party risks diligently, fiduciaries and plan sponsors can maintain a robust cybersecurity program that is up to snuff.