The U.S. Department of Labor (“DOL”) is developing cybersecurity objectives for plan fiduciaries that form the basis for its plan audits. It’s likely that the DOL’s guidelines will add to the foundation on which data security-related class action lawsuits are litigated.
Because benefit plans are regulated by ERISA, anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.
Everyone who comes in contact with personally identifiable information (“PII”) has a role to play in protecting plan data.
Here’s where to start…
Adopt a Cybersecurity Policy
Regardless of a plan’s size or complexity, the need for a cybersecurity policy statement (“CPS”) has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don’t delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.
Conduct a Cybersecurity Risk Assessment
Initiate an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list.
Elevate Cybersecurity to a High Monitoring Priority
The agendas of benefit plan related committees should include a permanent entry for monitoring a security management plan. Best practices for ERISA governance, risk management, and compliance (“GRC”) systems now require evidence of robust monitoring. Using a technology application tailored for that purpose is a must. Ask us about Fiduciary GRC™, a state of the art cybersecurity solution that covers the entire risk spectrum; assessment, technology, and monitoring.
FiduciaryGRC™ is a trademark of Roland|Criss.
