401k cybersecurity risk assessment is no longer a task that can be put-off. Consequently, a plan sponsor’s fiduciary duty encompasses 401k cybersecurity risk assessment. Managing 401k cybersecurity risk is a required part of a plan sponsor’s fiduciary task-list. Unfortunately, The Employee Retirement Income Security Act (ERISA) does not specifically mention 401k cybersecurity risk assessments as a line-item task. However, a plan fiduciary has a responsibility to act with prudence when engaging in vendor selection.
Plan fiduciaries are required to act prudently when hiring third party service providers. This includes ensuring that your plan’s service providers have proper 401k cybersecurity risk measures and protocols in place.
Apparently, new guidance is on the way. This, according to Tim Hauser, deputy assistant secretary for national office operations at the U.S. Department of Labor’s (DOL’s) Employee Benefits Security Administration. When speaking at a recent SPARK Cybersecurity virtual program, Mr. Hauser referenced future DOL guidance. DOL guidance is in development for U.S. plan sponsors regarding 401k cybersecurity risk. The guidance will include the selection of third-party service providers for retirement plans. This is favorable news, given that guidance to date has been vague at best. In the absence of clear guidance fiduciary breaches continue to confound plan sponsors and retirement plan committees.
Outlined in a recent article published by the Society for Human Resources Management (SHRM), there are several methods by which retirement plan committees can assess the ability of potential plan service providers to manage cybersecurity risks. Examples include:
- Taking the general threats and vulnerabilities of plan service providers into account when conducting the organization’s enterprise data security risk assessment;
- Meeting with the service provider’s IT lead, but also others in the service provider’s organization— and also with legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the service provider;
- Requiring the service provider to complete a detailed list of pointed data privacy and security questions. This should include active evaluations by your IT team, counsel, and/or consultant;
- Asking about prior data security incidents and how they were handled;
- Reviewing the service provider’s shared policies and procedures;
- Requiring the service provider to submit to an independent data security audit/review, penetration test; and
- Asking the service provider about its data breach response plan and how often the plan is practiced. That plan should include the service provider when you practice your own response plan and gauge their openness to that.
As the SHRM article aptly pointed out, this is by no means an exhaustive list, and “…it is appropriate to incorporate representations and additional protections concerning data privacy and security in the ultimate services agreement.”
A key takeaway is that plan sponsors and retirement plan committees should carefully assess plan service providers’ privacy and data security risk protocols. This should occur with frequency – not only when a breach occurs. It is now a best practice to include questions about 401k cybersecurity risk management and prevention protocols in a request for proposal (RFP). Your next RFP should address cybersecurity risk and prevention capabilities among the providers under consideration.