Cyber Risks Threatening Retirement Plan Data: The Role of the New Digital Fiduciary

/ By / Compliance, Fiduciary, Latest Stories

Digital FiduciaryIn a far reaching report by the 2016 ERISA Advisory Council entitled “Employee Benefit Plans: Considerations for Navigating Cybersecurity Risks” the issue of cyber risks with sensitive personal employee data in retirement plans was raised. What should ERISA plan fiduciaries do and what are their obligations? Is it time to appoint a digital fiduciary?

There is very little legislation about protection of data in ERISA plans unlike healthcare protected by HIPAA. With more and more 401k and 403b plan sponsors incorporating financial wellness programs, even some of an employee’s health data is shared with third parties. Beyond liability, plan sponsors and their advisors need to take steps to mitigate and manage cybersecurity risks.

These risks include:

  • Ransomware where criminals encrypt and seize an entire hard drive and will only release it for a high ransom.
  • Phishing where fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cyber-criminal to infiltrate a computer network.
  • Wire transfer email fraud where cyber criminals pretend to be senior executives asking employees to transfer funds.
  • Malware via external devices where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

Data sharing is becoming a big business issue for DC providers. Record keepers hold significant and sensitive participant data like Social Security Numbers, account information and logins/passwords. To customize investments, third parties need access to some of this data but record keepers may be reluctant to share not knowing their legal liabilities. Which raises an interesting question for plan sponsors: what is your agreement with third parties that have access to sensitive company and employee data?

Industry groups like SPARK (Society of Professional Administrative Record Keepers) are developing recommended standards as is the AICPA. There are initiatives under way in 31 states which could result in a confusing patchwork and there are opportunities for companies to get insurance.

The ERISA Advisory report provides resources for plan sponsors and recommends a strategy to protect against cyber risks. For smaller companies without access to ERISA counsel, next steps might be as simple as asking their advisor about the issue and then review what steps their record keeper is taking to protect the company and employee data as well as the agreement on how this data can be used or shared.

Because not having a written policy and strategy to protect participant data in ERISA plans could lead to fiduciary liability. So who is your designated digital fiduciary?

Leave a Comment

Your email address will not be published. Required fields are marked *

FOLLOW US:

401kTV

About Us

Management Team

Affiliates

Privacy Policy

Terms Of Service

Contact 401kTV

Thank you for visiting our site!

TRAU, Inc. and its affiliates TPSU and 401kTV do not provide investment, legal, tax or accounting advice. 401kTV readers and viewers should consult their legal and tax advisors for guidance. All materials, including but not limited to articles, directories, photos, videos, graphics etc., on this website are the sole property of TRAU, Inc. and are intended for educational purposes only. We do encourage your sharing 401kTV content with Plan Sponsors; however, unauthorized use of any and all materials is prohibited/restricted.

Permission to use any of the materials, etc. on any of this site or affiliate websites may be requested in writing at [email protected] and may be granted in writing on a case by case basis. Use of all editorial content without permission is strictly prohibited.

Scroll to Top