401k Plan Data – Can it be Hacked? – Ask The Lawyer. “My recordkeeper and other vendors secure our plan data. Can I just trust that they are doing it right?”
A plan committee member asked me this question recently, pointing out that she was not an expert on cybersecurity. My response was: “We read about hacking and security breaches all the time. You maintain plan data onsite and send it to your vendors. You are responsible for your company’s practices. What your vendors do or fail to do in securing plan information is your responsibility as well because you are responsible for reviewing how they perform.”
Although there is no specific federal law or regulation dealing with 401k cybersecurity, ERISA’s general fiduciary responsibility provisions require that plan assets be used only to provide benefits and pay reasonable expenses and that fiduciaries behave prudently in hiring and monitoring the vendors they hire. Failure to deal with cybersecurity issues could be a fiduciary breach under these rules and fiduciaries could have personal liability for the resulting losses, for example, if hackers are able to steal plan assets or fraudulently obtain distributions online by pretending to be participants. Participants whose personal accounts are hacked might also have claims against fiduciaries who failed to protect their data.
The First Steps. Data comes from the plan sponsor. Fiduciaries should first be confident that they have good cybersecurity features on their own system. They should also be investigating vendor procedures and negotiating contract provisions to protect themselves and their plan participants if there is a security breach. Just as fiduciaries who are not investment experts hire outside advisors to assist them, fiduciaries should consider hiring an outside expert to assist them with cybersecurity review.
Digging Deeper. There are helpful guides to assist fiduciaries in identifying issues to investigate and resolve cybersecurity issues. Every services agreement should deal with this issue and provide basic protections. Plan fiduciaries should have documented procedures in place to demonstrate that they have fulfilled their responsibilities and, since no protection is 100% breach-proof, adequate insurance protection.
Does Your Services Agreement Do the Job?
Here are some of the issues to cover:
- Does your vendor automatically encrypt data?
- Who has access to the data?
- Does your vendor have external review of its procedures?
- How quickly will your vendor notify you of a breach, and how will it assist in fixing it?
- Does your services agreement give you the right to audit the vendor’s procedures?
- Does your services agreement provide that the vendor will indemnify you if there is a breach?
What About Insurance?
- Do your current corporate and fiduciary liability policies adequately cover cybersecurity breaches? Many do not.
- Separate cybersecurity insurance to deal with breaches is available in the market. So-called “first party” insurance does not require that there be a lawsuit in order to recover.
- Does your vendor have adequate insurance of its own?
All plans should have procedures in place for confirming that vendors properly secure plan data and for addressing attacks and breaches. New vendors should not be hired and existing vendors should not be retained unless plan fiduciaries are satisfied that plan data is adequately protected. While total security is not achievable, this will make it less likely that your plan participants will be hacking victims.
By Carol Buckmann
Carol Buckmann is a founding partner at Cohen & Buckmann PC, and has practiced at major law firms specializing in the areas of employee benefits and executive compensation for over 30 years. Carol frequently blogs, writes articles and is quoted in the media about current employee benefit issues.