DC Plan Sponsors Vulnerable to Cyber Attacks

/ By / Compliance, Fiduciary, Latest Stories

A chain is as strong as its weakest link. Companies that strive to protect their data and their employees from cyber-attacks may be vulnerable if their defined contribution (DC) record keeper or TPA (third party administrator) either does not have adequate protection or uses data without the permission of the company. In fact, adequate protection against cyber-attacks could lead to fiduciary liability according to a major law firm.

The law firm of Pillsbury Winthrop Shaw Pittman explains that DC plan sponsors are responsible for insuring that third parties that are given access to company and employee sensitive data have taken adequate measures to protect against cyber-attacks. In addition, plan sponsors should also be sure that these vendors are not using the data improperly or selling it without permission including health and financial wellness providers. TPAs and record keepers that are part of a larger, financial service company will likely have adequate protection and policies to protect data obtained while servicing DC plans but local, independent firms may not, warns Pillsbury.

Other dangers include the use of offshore outsourcers who may also have access to the company’s DC plan data. There is no comprehensive regulatory framework governing cyber security protocol and certainly nothing under ERISA but more and more DC plan sponsors are starting to realize that they are a digital fiduciary as outlined by UCLA Professor Shlomo Benartzi as the vast majority of plan participants interface with their DC plan through computers.

What to do? Pillsbury recommends that plans:

  1. Conduct due diligence of DC vendors that have access to the plan and participant data
  2. Conduct periodic reviews of the contract with these third parties
  3. Review whether their vendors have insurance and possibly obtain their own protection against litigation which is probably not covered under other policies

Plan sponsors should consider:

  1. Requesting a copy of their vendors’ cyber security program and if they have an assigned officer
  2. Asking if threats are shared with clients
  3. Review their vendors’ process
  4. Exert more control over sensitive data
  5. Leverage Homeland Security’s SAFETY Act

Leave a Comment

Your email address will not be published. Required fields are marked *

FOLLOW US:

401kTV

About Us

Management Team

Affiliates

Privacy Policy

Terms Of Service

Contact 401kTV

Thank you for visiting our site!

TRAU, Inc. and its affiliates TPSU and 401kTV do not provide investment, legal, tax or accounting advice. 401kTV readers and viewers should consult their legal and tax advisors for guidance. All materials, including but not limited to articles, directories, photos, videos, graphics etc., on this website are the sole property of TRAU, Inc. and are intended for educational purposes only. We do encourage your sharing 401kTV content with Plan Sponsors; however, unauthorized use of any and all materials is prohibited/restricted.

Permission to use any of the materials, etc. on any of this site or affiliate websites may be requested in writing at [email protected] and may be granted in writing on a case by case basis. Use of all editorial content without permission is strictly prohibited.

Scroll to Top