Cybersecurity and fiduciary breaches are in the spotlight once again. Retirement plan cybersecurity and fiduciary issues continue to cause problems for Retirement Plan Committee members. It’s no surprise: Trillions of dollars in retirement savings are the potential target for real time theft from cybersecurity breaches. This is especially the case for tech concerns that are being exposed by Covid-19. According to The National Law Review, the number of 401(k) plan participants requesting distributions and loans has increased dramatically since the passage of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. These actions further expose plan participants, administrators, and service providers to new potential cybersecurity vulnerabilities. As now, more money continues to move out of retirement plans.
As plan fiduciaries, every plan sponsor has a responsibility to adhere to the compliance requirements outlined by the Employee Retirement Income Security Act (ERISA) of 1974. That law governs workplace retirement plans. However, since ERISA pre-dates the internet-age, the text of ERISA is silent to guidance on cybersecurity concerns. In addition, neither the Department of Labor (DOL) or the IRS have issued formal guidance around plan fiduciaries’ cybersecurity and fiduciary breach responsibilities under ERISA. Yet plan sponsors, administrators, and recordkeepers are facing a proliferation of lawsuits around cybersecurity and fiduciary breaches. How can plan fiduciaries — specifically retirement plan committees — protect themselves in a digital age dominated by a pandemic where cybersecurity-related crimes are on the rise?
If your retirement committee would benefit from TPSU’s Retirement Committee Education – please click here. This includes a one hour instructor led course for your retirement committee.
The National Law Review recommends that retirement plan committees implement measures and policies that:
- Protect plan participant data and investments from cybersecurity attacks;
- Put technical, physical, and administrative safeguards in place to protect the “confidentiality, integrity, availability, and resiliency of plan assets”; and
- Ensure the safeguards meet the Committee’s legal obligations and industry standards.
Now, it is also important to recognize that despite the Committee’s best efforts, a cybersecurity breach may occur. How the Committee responds to and manages Cybersecurity and Fiduciary Breaches helps to define potential fiduciary liability. Even if a cybersecurity attack occurs, the Committee can potentially avoid fiduciary liability. To do so, the committee must demonstrate without a doubt that it adhered to ERISA requirements. This requires prudently managing the plan solely for the benefit of participants and beneficiaries.
According to The National Law Review, key considerations for the Committee include:
- Having a comprehensive cybersecurity risk management program in place;
- Include a strategy to protect participant data and plan investment information;
- Committee awareness of the cybersecurity measures and safeguards in place for the plan’s third-party vendors;
- Committee communicate with participants and beneficiaries regarding risks of cybersecurity attacks and related security protocols; and
- Having the Committee put liability reduction measures in place, such as fiduciary liability insurance, should the plan be subject to a cybersecurity breach.
Although ERISA doesn’t specifically discuss fiduciary obligations related to Cybersecurity and Fiduciary Breaches, plan sponsors and fiduciaries still need to implement prevention measures to protect the plan assets and data from loss, and themselves from potential liability.
To learn more about Cybersecurity and Fiduciary Breaches through The Plan Sponsor University’s complementary fiduciary Education program – click here.