A Plan Sponsor’s Cyber Security Responsibilities

August 2, 2019

Cybersecurity insurance can help protect you and your workers’ health and retirement benefit plans.



Group health and retirement benefit plan administrators keep personal information such as social security numbers, dates of birth and email addresses in electronic records. Employees could suffer serious financial or reputation damage if their information was stolen by a cyber thief. Personal information, unlike a credit card account number, cannot be changed by the account owner and can repeatedly be used by criminals to perform actions such as requesting a retirement plan distribution.



Health and retirement benefit plans are governed by the Employee Retirement Income Security Act of 1974 (ERISA). This federal law requires most plan sponsors and administrators to maintain at least minimum standards to protect employees who are members of these plans.



You are a plan sponsor if you have set up a health care or retirement plan, such as a 401(k), for your employees. Plan administrators and sponsors both have the ERISA fiduciary duty to ensure personally identifiable information (PII), protected health information (PHI) and plan assets are protected from cyber threats. Both entities also must show proof that a plan is in place to respond to a data breach and mitigate associated damages.



Questions to Ask:



As a plan sponsor, you should work with your health and retirement plan administrators to evaluate your plans’ overall potential risk. Questions you should ask include:



•    Who ultimately is in charge of cybersecurity for the benefit plan?



•    Is there a plan in place in case there is a data breach? Who would be the primary responder and what steps would be taken?



•    Is a cybersecurity training program available for employees? According to a 2016 Association of Corporate Counsel Foundation report, employee error is the number one reason cited for data security breaches.



•    What are the current legal and regulatory concerns?



•    What state laws apply if there is a data breach?



Steps to Take:



The ERISA Advisory Council on Employee Welfare and Pension Benefits issued a report titled “Cybersecurity Considerations for Benefit Plans.” It lists effective practices, considerations, and policies to deter cyber theft. They include:



•    Create a Strategy – Figure out where you are most at risk and establish procedures for how data should be stored, controlled, accessed and transmitted. You also need to make sure you have a plan for testing and updating technology, training personnel and managing third party risks



•    Work Closely With Service Providers – Talk to your plan’s third-party administrator about current data security policies or procedures for passwords, social media use, document retention, and Internet privacy.



Cybersecurity Insurance



Commercial insurance policies provide general liability coverage to protect your business from injury or property damage. However, the policies might not cover cyber risks. Internet security risks vary based on the type of business or industry, therefore policies for cyber risk are more customized than other types of insurance policies and can be based on a variety of factors. These factors include the type of data collected and stored, or how employees and others are able to access data. Cybersecurity insurance can include liability for security or privacy breaches and costs associated with a privacy breach or business interruption.



For help developing a cybersecurity plan for your business, please contact us. 

The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the firm, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. Barrow Weatherhead Lent LLP is not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. © 2023 Barrow Weatherhead Lent LLP. All Rights Reserved.

About Alera Group 

Alera Group is an independent, national insurance and wealth services firm with more than $1.1 billion in annual revenue, offering comprehensive employee benefits, property and casualty insurance, retirement plan services and wealth services solutions to clients nationwide. By working collaboratively across specialties and geographies, Alera Group’s team of more than 4,000 professionals in more than 180 locations provides creative, competitive services that help ensure a client’s business and personal success. For more information, visit https://aleragroup.com/ or follow us on LinkedIn.