09-26-2024 |
ERISA FIDUCIARY DUTIES AND CYBERSECURITY
By: Caleb J. Brus & Cynthia Boyle Lande
The intersection of fiduciary duties under the Employee Retirement Income Security Act (“ERISA”) and cybersecurity has become increasingly prominent in our digital world. ERISA fiduciaries are responsible for managing retirement plans prudently and solely in the interest of participants and beneficiaries. As cyber threats grow, ensuring the security of sensitive plan information has become a critical component of these fiduciary duties.
THE ROLE OF ERISA FIDUCIARIES
ERISA Fiduciaries are required to:
- Act with Prudence: Make decisions with the care, skill, prudence, and diligence that a prudent person would use.
- Act Solely in the Interest of Plan Participants and Beneficiaries: Ensure that all actions taken are for the exclusive purpose of providing benefits and defraying reasonable plan expenses.
- Follow Plan Documents: Adhere to the terms of the plan documents insofar as they are consistent with ERISA.
- Diversify Plan Investments: Reduce the risk of large losses unless it is clearly prudent not to do so.
- Pay Only Reasonable Plan Expenses: Ensure that fees and expenses are appropriate and reasonable for the services provided.
Read more about ERISA fiduciary duties.
CYBERSECURITY CONCERNS
Fiduciaries managing retirement plans are entrusted with vast amounts of sensitive personal information, including Social Security numbers, account balances, and other financial data. The increasing frequency and sophistication of cyberattacks pose significant risks to this data. A breach can led to identity theft, financial loss, and erosion of participant trust. Common cyber threats include:
- Phishing attacks
- Ransomware
- Insider threats
- Third-party risks (service providers)
FIDUCIARY DUTIES AND CYBERSECURITY
The U.S. Department of Labor (“DOL”) has recognized cybersecurity as a critical issue for ERISA-covered plans. On September 6th, 2024, the DOL provided updated cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. While ERISA does not explicitly mention cybersecurity, fiduciary duties to act prudently and in the best interest of participants encompass safeguarding sensitive information. Below are a few considerations for fiduciaries regarding their responsibilities in the context of cybersecurity:
- Conduct Risk Assessments: Fiduciaries should regularly assess the cybersecurity risks associated with their plan operations. This includes identifying potential vulnerabilities in their systems and processes and evaluating the cybersecurity practices of service providers.
- Implement Strong Cybersecurity Practices: Based on the risk assessments, fiduciaries should implement robust cybersecurity measures. These can include:
- Encryption: Protecting data both in transit and at rest using strong encryption protocols.
- Multi-Factor Authentication (MFA): Requiring multiple forms of verification before granting access to sensitive data.
- Audits and Monitoring: Continuously monitoring systems for suspicious activity and conducting regular security audits.
- Training: Educating employees and plan participants about cybersecurity best practices and potential threats.
- Service Provider Oversight: Fiduciaries often rely on third-party service providers for plan administration and management. It is crucial to evaluate the cybersecurity practices of these providers. This includes:
- Due Diligence: Assessing the provider's security measures, incident response plans, and track record.
- Contracts: Including specific cybersecurity requirements and breach notification protocols in service agreements.
- Develop an Incident Response Plan: Despite best efforts, breaches can occur. Fiduciaries should have a comprehensive incident response plan in place to quickly address and mitigate the impact of a cybersecurity event. This plan should outline:
- Response Team: Designating individuals responsible for managing the incident.
- Notification Procedures: Timely notification to affected participants, regulators, and law enforcement.
- Remediation Steps: Measures to contain and resolve the breach, such as data restoration and system patches.
WHAT THIS MEANS FOR EMPLOYERS
ERISA fiduciaries play a pivotal role in protecting the integrity of retirement plans, which now includes safeguarding against cyber threats. Plan sponsors should consider implementing a formal cybersecurity program which includes establishing protocols, training and awareness, regular audits/assessments, and collaborating with cybersecurity professions. By understanding and integrating cybersecurity into their fiduciary duties, they can better protect participants' sensitive information and maintain the trust essential for the successful management of retirement plans. As cyber threats evolve, staying informed and proactive is key to fulfilling these critical responsibilities.
HOW CAN BROWNWINICK ASSIST YOU?
If requested, BrownWinick can assist you in understanding your fiduciary duties as they relate to cybersecurity. Please contact Caleb Brus at 515-558-8867 or Cindy Lande at 515-242-2476.