Cybersecurity and ERISA Plan Management

Article

Cybersecurity Invades Employee Benefit Plan Administration

Cybersecurity is a tech-centric term that often makes business unit leadership’s eyes roll. That response is risky because cybersecurity ranks among the most vital issues facing human resources, finance, and administration executives.

The truth is that cybersecurity, while highly technical in its domain, uses the same principles and concepts as many other business-related legal risks. Employee benefit plan (“EBP”) leaders face a new era that requires administration and risk management behaviors that are not part of traditional fiduciary best practice thinking.

Who is Accountable for EBP Cybersecurity?

An enterprise’s information technology department is not primarily responsible for conformance with the government’s cybersecurity guidance for EBP sponsors. To emphasize that concept, Bryan Smith, Section Chief for the FBI’s Cyber Criminal Division, recently said, ” Cybersecurity is primarly a business management problem.”

The U.S. Department of Labor established an emerging compliance framework for EBP sponsors when it introduced sub-regulatory cyber guidance in 2021 through its enforcement arm, the Employee Benefits Security Administration (“EBSA”). Since then, the EBSA’s field audit program has placed the burden to protect plan participants’ Personally Identifiable Information (“PII”) and Personal Health Information (“PHI”) squarely on plan administrators and fiduciary committees.

“Cybersecurity is primarily a business management problem.”
Bryan Smith, Section Chief FBI Cyber Criminal Division

An Overlooked Resource

Since operational management of EBPs tends to fall at the feet of human resources leaders, that executive class requires new skills and methods because technology IS the plan, and technology is the enabler from payroll to processing a plan’s transactions. Yet, the information technology groups of most employer organizations are in a silo far away from fiduciary committees, and there’s proof.

Most human resources departments select Internet-centric service providers that retain PII and PHI, like recordkeepers and payroll processors, without involving their organizations’ IT units. Prudence demands otherwise!

The lines between human resources functions and technology functions are blurring. Therefore, leading human resources executives must look for ways to engage more deeply with their technology peers and embrace that overlooked resource. Doing so will help enlighten EBP plan managers about the difference between a cybersecurity risk management process and the technology that protects internet-connected systems such as hardware, software, and data from cyber threats.

Get Prepared

In the face of an exploding number of cybersecurity breaches of employers’ in-house IT systems, retirement plan recordkeepers, payroll services, and healthcare providers, the standard of care documented in the EBSA’s guidance demand upgrades in two fundamental fiduciary disciplines; governance and controls. At a minimum, although not exhaustive, the actions discussed next should have a short time frame for completion.

Cybersecurity Policy

Regardless of an EBP’s size or complexity, the need for a cybersecurity policy statement explicitly written to align with the EBSA’s guidance has escalated to the same level of importance as an investment policy statement maintained by defined contribution and defined benefit plan fiduciaries.

Monitoring Agenda

The agendas of EBP committees should include a permanent entry for monitoring a data security management plan.

Service Provider Management Standards

EBP committees should have written cybersecurity rules for hiring, monitoring, and re-engaging vendors of retirement plan services, healthcare plans, payroll operations, and any other service provider that takes possession of PII or PHI.

Make Cybersecurity Training a Committee Pre-requisite

Get trained on all aspects of the EBSA’s cybersecurity guidance. Also, ask your information technology unit for awareness training in cybersecurity standards such as those promulgated by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”).

Adopt a Control Framework

While the EBSA’s guidance is an excellent place to start, a proper workflow for executing a committee’s rules transcends the EBSA’s guidelines. Consultation with an ERISA fiduciary risk management firm like Roland|Criss to build an appropriate framework would ensure a committee’s ability to prove its prudence.

Commission an Assessment

Initiate an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment should adhere to independently developed criteria, and a review offers a way to ensure continued improvement. Ask Roland|Criss for the list of criteria.

Conclusion

Having an independent risk management specialist annually assess an EBP’s security controls provides a clear, unbiased report of existing risks, vulnerabilities, and weaknesses. As part of its review of an effective assessment program, the EBSA says it would expect to see an examination of a plan’s vendors that includes:

Audit reports, audit files, penetration test reports and supporting documents, and any other analyses or review of the vendors’ cybersecurity practices by a third party.
Audits and audit reports prepared and conducted in accordance with appropriate standards.

Documented corrections of any weaknesses identified in the independent third party analyses.

The continued assaults by cyber thieves on EBP data and assets underscores the need for immediate improvements in EBP administration. It should be a fiduciary committee’s highest priority.

Explore the EBP Cybersecurity Forum