Cybersecurity and Benefit Plans

Cybersecurity is of rapidly growing importance to businesses, as data breaches can result in financial and reputational damage, as well as possible exposure to fines. Cybersecurity breaches, including losses due to compromise of data and assets, make headlines daily. According to BreachlevelIndex.com, there were about 1.9 trillion data records compromised in the first half of 2017 alone, and data breaches are happening at the rate of 122 data per second.

In one notable data breach of a retirement plan that was reported by the Chicago Sun Times in June 2016, hackers skimmed $2.6 million from city retirement accounts. The hackers created web profiles and took loans from the retirement accounts. In another data breach of a retirement plan that was reported by Bloomberg in July 2016, a ransomware attack on a multiemployer pension plan compromised personal information of 18,630 participants. The cost of a cybersecurity breach, including that of detecting the extent to which data have been compromised, recovering the data and restoring systems integrity, can be substantial. According to the 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute, the average total cost of a breach is $4 million, and the average cost per record breach is $158.

Data breaches are prevalent across industries, and a majority of the breaches involve identify theft and access to financial information. No industry or organization is immune from cyber threats, including those that provide benefit plans. Companies that have retirement plans maintain critical employee information within the plan, such as an employee’s name, social security number, compensation and other personal data, all of which is vulnerable to a breach. In the wrong hands, such information is sufficient to enable identity theft, privacy breaches and theft of assets. Consequently, the potential for appropriation of employees’ personal information is cause for alarm for all retirement plan sponsors. Benefit plans share sensitive employee information electronically across various unrelated entities as a part of the plan administration process, thus heightening exposure to cybersecurity risk. The Department of Labor (DOL) continually stresses to Employee Benefit Plan (EBP) administrators that ensuring security of EBP data related to employees’ sensitive information is deemed to be part of their fiduciary responsibility. The DOL is pushing for the EBP administrators to intensify their protection of benefit plan information.

Cyber threats is always present and cannot be completely eliminated, but there are steps that can be taken to manage the risk. Plan sponsors and those charged with governance need to assess their plans’ risks and develop specific strategies to address those risks, as it is not a question of "if" there will be a cyber attack–rather, it is a question of when, and how much will it cost the organization when it happens. Thus, in addition to taking action to minimize the risks, all parties involved in the administration of benefit plans and their data should be prepared to respond in the event of a breach. Cybersecurity is everyone’s responsibility. Critical actions and decisions about a cyber attack should be considered even before an incident occurs. It is critical for plan sponsors, administrators and service providers to have a strategy to manage data and assets with the objective of minimizing exposure to the cyber threats and to act quickly should a breach occur.

In response to increasing concerns around cybersecurity risk, the Employee Retirement Income Security Act (ERISA) Advisory Council (the Council) examined cybersecurity considerations as they relate to pension and welfare benefit plans. As a result of the Study, the Council published and submitted to the Secretary of Labor in November 2016 a report that summarizes its findings relating to cybersecurity risk and its recommendations on managing the risk. The Council’s report is focused on providing useful information to plan sponsors, fiduciaries and service providers for evaluating the risk, and developing a cybersecurity risk management program for benefit plans. Specifically, it focuses on outlining elements of cybersecurity risk management strategies–as well as recommendations and suggested resources for plan sponsors, fiduciaries and service providers to utilize when developing a cybersecurity strategy and program; these are outlined in a report titled "Cybersecurity Considerations for Benefit Plans" (https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf).

The report recommends that the plan sponsors establish a cybersecurity risk management strategy that includes the following:

1. Understanding sensitive plan’s data that needs protecting.
2. Consideration of existing cybersecurity frameworks such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework to help understand cyber risk.
3. Developing cybersecurity policies and processes Customizing the strategy to the organization’s environment.
4. Achieving the right balance between costs and benefit.
5. Ensuring that the strategy is compliant with state laws.

The Council also acknowledges that individuals responsible for benefit plan management rarely have expertise in cybersecurity; yet, as mentioned above, benefit plans contain significant sensitive individual data that could be prone to a breach. Consequently, the Council recommends that plan sponsors and fiduciaries consider whether to consult with a cybersecurity expert when developing a cybersecurity strategy for their plans. The Council also notes that firms that are small or do not have the resources or capacity to develop a customized, robust cybersecurity risk management strategy may opt to use cloud-based resources to offload cybersecurity burdens onto the cloud provider. Lastly, the Council recommends that plan sponsors consider adding cyber coverage to their insurance coverage.

The Council states that there is no "one size fits all" answer to cybersecurity risk. A strategy should align with the plan’s complexity and service provider arrangements. Most important is that the organization raise awareness about cybersecurity risk and develop a prudent risk management strategy specific to its benefit plans. This will not only help protect the plan against potential cyber attack, but will also demonstrate that the plan sponsor is exercising fiduciary responsibility over the plan.