To meet emerging cybersecurity standards as plan sponsors, employers need to understand some basic rules, specifically the Employee Retirement Income Security Act (“ERISA”).

The U.S. Department of Labor (“DOL”) is developing cybersecurity objectives for plan fiduciaries that form the basis for its plan audits. It’s likely that the DOL’s guidelines will add to the foundation on which data security-related class action lawsuits are litigated.

Cybersecurity for retirement plans often falls outside the scope of cybersecurity planning for enterprises at large.
Benefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the benefit plan administration process. This data and asset information should be specifically considered when implementing cybersecurity risk management measures.

Because benefit plans are regulated by ERISA, anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.

Everyone who comes in contact with personally identifiable information (“PII”) has a role to play in protecting plan data.

Here’s where to start…
 

Adopt a Cybersecurity Policy

Regardless of a plan’s size or complexity, the need for a cybersecurity policy statement (“CPS”) has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don’t delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.

Conduct a Cybersecurity Risk Assessment

Initiate an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list.

Elevate Cybersecurity to a High Monitoring Priority

The agendas of benefit plan related committees should include a permanent entry for monitoring a security management plan. Best practices for ERISA governance, risk management, and compliance (“GRC”) systems now require evidence of robust monitoring. Using a technology application tailored for that purpose is a must. Ask us about Fiduciary GRC, a state of the art cybersecurity solution that covers the entire risk spectrum; assessment, technology, and monitoring.

FiduciaryGRC is a trademark of Roland|Criss.

Visit Us On TwitterVisit Us On Linkedin