Enhancing Cybersecurity and Associated Costs

By ASPPA Net Staff • November 04, 2016 • 0 Comments

Every day we hear news that is premised on a leak of some sort — the result of a breach of cybersecurity. Regardless of whether it has been publicized or is lesser known, a breach is a breach and it puts people and their assets at risk. And that includes retirement plan participants.

A recent American Law Institute webinar addressed such breaches and their associated costs. The speakers at the Nov. 3 webinar warn that data security experts consistently state that it is not “if” a breach will occur, but “when,” adding that HR staff and other custodians of Social Security numbers are frequent targets of cyber attacks.


Protection against hackers can be expensive, warn speakers Marcus D. Brown and Theanna Sedlock, associates at Winstead, P.C., and Greta Cowart, a shareholder at the firm. But the costs of inaction could be greater — to the tune of almost $1.7 million for one company, they observe. Potential costs include:

  • state law penalties;

  • breach notifications; post-breach employee protection;

  • regulatory compliance;

  • fines;

  • public relations;

  • employee relations;

  • crisis communications;

  • attorneys’ fees;

  • litigation costs;

  • cybersecurity improvement;

  • technical investigations;

  • higher insurance premiums;

  • greater costs to borrow;

  • operational disruption;

  • impact on employee relations;

  • poorer business reputation; and

  • lost intellectual property.

With lots of money on the line, a firm naturally may find protections against electronic breaches to be a worthwhile investment. And since that can entail significant costs, doing so in a cost-effective way is advisable. But Brown, Sedlock and Cowart point out that some of the cost-saving measures may have a hidden cost of their own.

That cost: cutting expenses in enhancing cybersecurity could come at the expense of ERISA compliance. “Some of the protections plan fiduciaries expect and commonly used tools for cost saving such as electronic disclosure may be effective to fulfill responsibilities and may place the plan fiduciaries at risk for ERISA non-compliance, potential penalties and ERISA fiduciary exposure,” according to the attorneys.

Practical Considerations

Brown, Sedlock and Cowart suggest that plan administrators consider the following matters when they enter into contracts to protect data security:

  • confidentiality of information;

  • data privacy law compliance representation;

  • data protection protocols;

  • security incident procedures and notification procedures;

  • limitations of, and exclusion from, liability;

  • security audit provisions to permit compliance review;

  • customer-requested background checks of supplier personnel;

  • definitions related to cybersecurity terms, standards and tools or mechanisms;

  • obligations to notify the plan sponsor of a breach and of the vendor to promptly investigate suspicious facts;

  • obligation to mitigate damage to participants and dependents a breach causes;

  • cybersecurity insurance; and

  • federal cybersecurity regulations.

“Security should be a consideration for every retirement plan fiduciary to preserve the fiduciary protection available” when making required disclosures electronically and the fiduciary protections that flow from such disclosures, as well as claims of violation of common law privacy rights, the attorneys say. “Retirement plan fiduciaries should consider whether their duties of loyalty, prudence and to administer the plan for the exclusive benefit of the participants might require them to protect the participants’ personal information provided to vendors from hackers,” they add.