Don't Miss

Cyber Security – Hot Topic at TPSU Fiduciary Training Program – 401ktv

Cyber Security was a Hot Topic at TPSU Fiduciary Training Program. Plan sponsors now have more responsibility when it comes to Fiduciary Duty.  Cyber security is now elevated to Fiduciary Status.  During a Fiduciary Training Program held at Rutgers University, The Plan Sponsor University (TPSU) Adjunct Lecturer Jamie Greenleaf addressed the importance of cyber security.  Included in the points made by Ms. Greenleaf were the importance of the protection of plan participant data and the ongoing treatment of potential cyber threats as Organizational Threats and not just Information Technology threats.

An Ounce of Prevention is Worth a Pound of Cure

A prudent plan fiduciary should attempt to prevent or eliminate known cyber risks. An early concern for any cyber security plan is in the prevention of any breach at all.  It is logical that a prudent fiduciary would attempt to prevent or eliminate any potential cyber risks prior to them occurring. Retirement plan administrators and other fiduciaries should be cautioned against viewing the protection of plan assets, including plan participant data, solely as the responsibility of external partners.

Plan fiduciaries should regularly review operating agreements and service contracts for the inclusion of language addressing cyber security and the process(es) in place for identification of cyber breaches and corresponding notifications. Plan sponsors need be aware that breaches can be initiated from within – by a trusted service provider or a rouge consultant – so the language around “the notification of the occurrence of such a breach” will be important when working through a remedy.  In many breaches, once the perpetrator has penetrated the system, the offender will lay dormant for a period. This could be a period of months before the bad actor or hacker is discovered as having penetrated the system-security with bad intentions.  A retirement plan will rarely anticipate the motives of such an attack or the mindset of the attacker.  Although all cyber-attacks are disruptive and damaging, internal hackers raise their head as a special breed of offender.  Internal hackers are in a position of trust, then they take advantage of an organization’s data with the intention of either using the data as their own or just being a nuisance for a period of time. Proper language in contracts and a strong legal-team experienced in cyber breaches are a good combination when working through internal breaches.

Who Pays for Cyber Security Protection?

Due to the ERISA requirement that fiduciaries protect the assets of the retirement plan, preventive cyber security efforts can be paid for with plan assets.   Cyber risk assessments are prudent and may soon become as commonplace as an annual investment review.

Plan sponsors who are in the dark as it relates to cyber security or cyber-attack prevention may be engaging in a high stakes wager with their plan and plan participant data.

Steff Chalk

Steff Chalk

Managing Editor at 401kTV
Steff C. Chalk is Executive Director of The Retirement Advisor University, a collaboration with UCLA Anderson School of Management Executive Education. Steff also serves as Executive Director of The Plan Sponsor University and is current faculty of The Retirement Adviser University.
Steff Chalk

Check Also

401k Plan Design to Improve Efficiency

401k Plan Design to Improve Efficiency      401k plan design will soon be able to contribute time-savings to plan retirement plan sponsors and fiduciaries. The Plan Design Panel was filled with great ideas during the 401kTV GENIE Awards held at ...