Cyber Security was a Hot Topic at TPSU Fiduciary Training Program. Plan sponsors now have more responsibility when it comes to Fiduciary Duty. Cyber security is now elevated to Fiduciary Status. During a Fiduciary Training Program held at Rutgers University, The Plan Sponsor University (TPSU) Adjunct Lecturer Jamie Greenleaf addressed the importance of cyber security. Included in the points made by Ms. Greenleaf were the importance of the protection of plan participant data and the ongoing treatment of potential cyber threats as Organizational Threats and not just Information Technology threats.
An Ounce of Prevention is Worth a Pound of Cure
A prudent plan fiduciary should attempt to prevent or eliminate known cyber risks. An early concern for any cyber security plan is in the prevention of any breach at all. It is logical that a prudent fiduciary would attempt to prevent or eliminate any potential cyber risks prior to them occurring. Retirement plan administrators and other fiduciaries should be cautioned against viewing the protection of plan assets, including plan participant data, solely as the responsibility of external partners.
Plan fiduciaries should regularly review operating agreements and service contracts for the inclusion of language addressing cyber security and the process(es) in place for identification of cyber breaches and corresponding notifications. Plan sponsors need be aware that breaches can be initiated from within – by a trusted service provider or a rouge consultant – so the language around “the notification of the occurrence of such a breach” will be important when working through a remedy. In many breaches, once the perpetrator has penetrated the system, the offender will lay dormant for a period. This could be a period of months before the bad actor or hacker is discovered as having penetrated the system-security with bad intentions. A retirement plan will rarely anticipate the motives of such an attack or the mindset of the attacker. Although all cyber-attacks are disruptive and damaging, internal hackers raise their head as a special breed of offender. Internal hackers are in a position of trust, then they take advantage of an organization’s data with the intention of either using the data as their own or just being a nuisance for a period of time. Proper language in contracts and a strong legal-team experienced in cyber breaches are a good combination when working through internal breaches.
Who Pays for Cyber Security Protection?
Due to the ERISA requirement that fiduciaries protect the assets of the retirement plan, preventive cyber security efforts can be paid for with plan assets. Cyber risk assessments are prudent and may soon become as commonplace as an annual investment review.
Plan sponsors who are in the dark as it relates to cyber security or cyber-attack prevention may be engaging in a high stakes wager with their plan and plan participant data.
Latest posts by Steff Chalk (see all)
- Investment Policy Statement Should be Implemented Slowly - February 25, 2020
- Digital Design Influences Retirement Plan Participation and Savings Rates - February 23, 2020
- SECURE Act Noncompliance Comes with Penalties - February 20, 2020