Cybersecurity considerations for benefit plans
The Department of Labor (DOL) continually stresses the importance of a plan sponsor’s fiduciary duties. Fiduciaries act on behalf of benefit plan participants and beneficiaries and are thus entrusted with many responsibilities. They are also commonly entrusted with handling, transmitting and protecting sensitive data or information.
The ERISA Advisory Council on Employee Welfare and Pension Benefits (the Council) recently issued a report that highlights cybersecurity, an area that the Council believes plan sponsors may not be fully addressing as they carry out their fiduciary responsibilities. The report is entitled Cybersecurity Considerations for Benefit Plans and it recommends that the DOL raise awareness about cybersecurity risks and the key elements for developing a cybersecurity strategy specifically focused on benefit plans.
In most cases, benefit plans have a large number of people, both employees of plan sponsors and employees of unrelated service providers, with access to and handling sensitive employee benefit plan information. Accordingly, there is a potential for privacy breaches, identity theft or even theft of assets. As the time and costs to recover from a data breach can be substantial, the Council encourages businesses to develop a cybersecurity management strategy for their employee benefit plans.
The Council’s report, which can be accessed here, discusses many topics including:
- The objective(s) of a cybersecurity strategy
- Commentary on how to establish a strategy/framework
- Discussion regarding the use of service providers
- Insurance considerations
- Useful terminology and links
To the extent your organization has not yet focused on the cybersecurity risk specific to benefit plans, we recommend starting with the following:
- Review existing corporate cybersecurity policies/processes and how they can be leveraged
- Take an “inventory” of your plan data to understand where/how it originates, who receives it, where it is stored, and who needs access
- Evaluate your internal resource capabilities – the Council’s report acknowledges the value of seeking expert advice when navigating this area
- Based on the size of your organization and your plans, consider cyber-insurance
As the Council’s report notes, designing a cybersecurity risk management strategy does not have to be overwhelming. The following visual can be used to summarize the key components of an effective cybersecurity program, which include people, process, and technology.
The most significant takeaway for plan sponsors is that the Council is recommending that the DOL provide information to the benefit plan community of plan sponsors, fiduciaries and service providers to educate them on cybersecurity risks and to provide guidance on managing these risks.
If you are interested in Plante Moran's cybersecurity capabilities and potential cybersecurity impact on your benefit plans, click here to access Plante Moran’s 7-point Cybersecurity Assessment. If you have any questions on the report, or where to start with your cybersecurity strategy, please contact a member of Plante Moran’s Employee Benefit Consulting or Cybersecurity teams.