It seems that barely a week goes by without news of another major cyberattack at a large corporation. Employee benefit plans aren’t immune from the risk of a cyberattack, either. This makes it critical to devise a strategy that minimizes your plan’s exposure to cyberattacks and other cybersecurity risks.
Specific ERISA Duties
As a plan sponsor, you have certain duties under ERISA related to the impact that a cyberattack or data breach could have on plan participants and beneficiaries. Specifically, you should be prepared to respond to and recover from an attack. This involves anticipating critical actions and decisions before an attack occurs, not during or after the attack. Cybersecurity issues are different for ERISA employee benefit plans than they are for other areas of your business. Therefore, your cybersecurity risk mitigation plan should be separate and distinct from your enterprise-wide cybersecurity plan, although it may align and integrate with other existing plans.
The first step in formulating your employee benefit plan cybersecurity strategy is to identify what data is the most critical to protect and what the greatest threats to this data are. Then you can devise the best strategy for minimizing these threats and responding to cyberattacks or data breaches that may occur.
Start by asking these five questions:
1. What participant data needs to be protected, and how is it classified?
Participant data files contain sensitive personally indentifiable information (PII) such as participants’ names, Social Security numbers, birthdates, bank account information, and account balances. They also contain protected health information (PHI) such as medical claims data.
2. Where is this data stored, and who has access to it?
Participant data may be retained by many different parties, including third-party administrators, custodians, actuaries, auditors, and trustees. You should determine every location where data could be held and the retention periods and make sure all parties storing data meet strict security requirements.
3. What are the greatest threats to this data?
For example, data could be stolen and sold to the highest bidder, or cybercriminals could freeze your computer systems until you pay a ransom (this is known as ransomware). The source of threats is dynamic, coming from email, the Internet, social media, and even unrelated applications.
4. How is the data accessed, and is access being properly controlled?
Plan administration systems are sometimes linked to unrelated systems that can open the door to hackers while data is being transmitted. Encryption is a critical step in securing data—not just during transmission, but also at the points where it resides.
5. What data needs to be retained?
Not all the data being stored is necessarily needed to support your plan or execute tasks. Determine what data is unnecessary and then remove it from your system to reduce the risk of it being unnecessarily compromised.
Find the Right Balance
As the plan fiduciary, you must determine the appropriate level of cybersecurity prevention given the scope of the threat, potential loss exposure, and cost of taking preventative action.
Here are a few things to consider in devising an appropriate cybersecurity risk management strategy for your plan:
- Available resources: Are cybersecurity prevention resources available internally, or do you need to invest in external resources and tools?
- Strategy integration: Can your strategy be integrated with the rest of your organization and, if so, what are the cost-sharing protocols?
- Implementation costs: Of course, cost will be a major factor in your strategy, but you should also factor in the potential cost of a major cyberattack and data security breach.
- The feasibility of purchasing cyber insurance: This type of insurance typically covers third-party damage and defense costs as well as first-party coverage. Here, you wouldn’t have to wait for a third party to sue the plan; instead, coverage is triggered as soon as a data breach occurs.
- Contracts with service providers: Third-party administrators and other service providers with access to participant data are a possible source of data breaches. So you need to ask them detailed questions about their own cybersecurity risk management strategy.
In particular, you should ask plan record keepers and custodians for a SOC for Cybersecurity Report. This new report will contain detailed information and assurances about controls affecting the security and integrity of the systems used to process data, as well as the privacy of the data processed by these systems.
Not If, But When
Many cybersecurity experts say it’s not a matter of if, but when a cyberattack will occur. Therefore, you should be proactive when it comes to managing plan data to minimize exposure to cybersecurity threats—both now and in the future.