Although the U.S. courts have yet to decide whether managing cybersecurity risk is a fiduciary function, the ERISA (Employee Retirement Income Security Act) Advisory Council has asked the Department of Labor (DOL) to issue guidance for retirement plan cybersecurity. This is according to a white paper issued by the Pension Research Council of the Wharton School and the University of Pennsylvania, titled, “Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective.”
The ERISA Advisory Council is asking the DOL to provide guidance on how to evaluate the cybersecurity risks they face and to require retirement plan sponsors to be familiar with the various security frameworks used to protect data as well as to build a cybersecurity process. The council would also like the DOL to recommend that sponsors use third-party risk management.
The council notes that the DOL has addressed electronic distribution of plan information to participants and has asked plan administrators to “protect the confidentiality of personal information relating to the individual’s accounts and benefits.”
The council also notes that the Data Security Oversight Board (DSOB) of the SPARK Institute has developed standards to help recordkeepers communicate the capabilities of their cybersecurity systems to plan sponsors in a uniform way. SPARK has identified 16 areas critical to data security.
The council recommends that sponsors educate themselves about cybersecurity by attending conferences, and that they reduce the amount of plan information shared among service providers. While ERISA does not mandate a written cybersecurity policy, plan sponsors are required to always act prudently and to document that process, and cybersecurity should be part of that process, according to the white paper.
The authors of the white paper also recommend that sponsors take out cyber insurance in case of a breach and periodically evaluate and update their cybersecurity measures.
The white paper can be downloaded here.