A Plan Sponsor’s Cyber Security Responsibilities

August 2, 2019

Cybersecurity insurance can help protect you and your workers’ health and retirement benefit plans.

Group health and retirement benefit plan administrators keep personal information such as social security numbers, dates of birth and email addresses in electronic records. Employees could suffer serious financial or reputation damage if their information was stolen by a cyber thief. Personal information, unlike a credit card account number, cannot be changed by the account owner and can repeatedly be used by criminals to perform actions such as requesting a retirement plan distribution.

Health and retirement benefit plans are governed by the Employee Retirement Income Security Act of 1974 (ERISA). This federal law requires most plan sponsors and administrators to maintain at least minimum standards to protect employees who are members of these plans.

You are a plan sponsor if you have set up a health care or retirement plan, such as a 401(k), for your employees. Plan administrators and sponsors both have the ERISA fiduciary duty to ensure personally identifiable information (PII), protected health information (PHI) and plan assets are protected from cyber threats. Both entities also must show proof that a plan is in place to respond to a data breach and mitigate associated damages.

Questions to Ask:

As a plan sponsor, you should work with your health and retirement plan administrators to evaluate your plans’ overall potential risk. Questions you should ask include:

•    Who ultimately is in charge of cybersecurity for the benefit plan?

•    Is there a plan in place in case there is a data breach? Who would be the primary responder and what steps would be taken?

•    Is a cybersecurity training program available for employees? According to a 2016 Association of Corporate Counsel Foundation report, employee error is the number one reason cited for data security breaches.

•    What are the current legal and regulatory concerns?

•    What state laws apply if there is a data breach?

Steps to Take:

The ERISA Advisory Council on Employee Welfare and Pension Benefits issued a report titled “Cybersecurity Considerations for Benefit Plans.” It lists effective practices, considerations, and policies to deter cyber theft. They include:

•    Create a Strategy – Figure out where you are most at risk and establish procedures for how data should be stored, controlled, accessed and transmitted. You also need to make sure you have a plan for testing and updating technology, training personnel and managing third party risks

•    Work Closely With Service Providers – Talk to your plan’s third-party administrator about current data security policies or procedures for passwords, social media use, document retention, and Internet privacy.

Cybersecurity Insurance

Commercial insurance policies provide general liability coverage to protect your business from injury or property damage. However, the policies might not cover cyber risks. Internet security risks vary based on the type of business or industry, therefore policies for cyber risk are more customized than other types of insurance policies and can be based on a variety of factors. These factors include the type of data collected and stored, or how employees and others are able to access data. Cybersecurity insurance can include liability for security or privacy breaches and costs associated with a privacy breach or business interruption.

For help developing a cybersecurity plan for your business, please contact us.