Cyber Attacks: Can Your TPA Protect Your Plan? If you have delegated some of the responsibility of managing your retirement plan to a third party administrator (TPA), have you given much thought, if any at all, to cybersecurity? If not, you’re not alone. Most plan sponsors don’t. That said, cybersecurity is definitely something you should be thinking about, especially since you likely share a variety of sensitive employee information with your TPA.
This recent article from law firm Mintz Levin notes that because there aren’t any rules or standards around 401(k) cybersecurity, it’s an afterthought for many plan sponsors. Or most presume their TPA has cybersecurity measures in place, which isn’t always the case.
Here’s the thing: Even though there are no specific rules about cybersecurity, most states do have laws that require employers to protect employee information in the event of a breach. And even if that breach happens at your TPA, you’re on the hook for their noncompliance. So it’s important to make sure you and your TPA are on the same page about how they’re complying with your state’s laws and how you’re protected if the TPA slips up.
Moreover, under ERISA, plan sponsors must act prudently in selecting and monitoring plan service providers, including TPAs. So while the rules around prudence don’t explicitly discuss cybersecurity protections, you should assume that it’s your responsibility to make sure your TPA has stop gaps in place to protect participants’ information and savings from cyber threats.
The Mintz Levin article also outlines several proactive steps plan sponsors can take around cybersecurity protection when hiring or renewing a TPA contract. Terms of the contract should include:
“• The TPA should maintain a comprehensive, written security program that contains administrative, technical and physical safeguards based on accepted industry practices.
- If any data are lost or stolen under the TPA’s watch, the TPA should contact the employer immediately and provide a remediation plan that complies with all federal and state laws relating to data breaches, whether the laws apply to the TPA or to the employer.
- The TPA should bear all expenses for security breach mitigation and should compensate the employer for any loss or theft of the employer’s data.
- The contract should address transfer, storage, retention, and destruction of data.
- Participant data should be accessible only by the TPA’s trained personnel and used only to perform the contracted services.
- Any subcontractors must be bound by the same standards as the TPA.
- The TPA should have a robust business continuity and disaster recovery plan covering the employer’s data.
- The employer should reserve rights to audit the TPA’s practices.
- The agreement term should be limited so that the employer can renegotiate cybersecurity provisions as rules evolve and new threats emerge.”
While cybersecurity may not be top of mind, you can protect yourself, your plan and participants from cyber threats by choosing top-flight providers, comparing TPA proposals and engaging in good-faith negotiations every few years, and monitoring your providers regularly.
Latest posts by Robyn Kurdek (see all)
- DOL Rule Struck Down in Court: Will Fiduciary Standards Prevail? - March 19, 2018
- Target Date Funds – Getting Questions? Be Prepared - March 15, 2018
- Form 5500 – Sponsors Forgetting to File Can Be a Costly Mistake! - March 14, 2018