Cybersecurity and Retirement Plans
The technological revolution that has ushered in today’s electronic age is a thing of wonder. But it has also opened the door to theft and abuse of money and information, including from retirement accounts. A recent article discusses what can be done to address the threat.
In “Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know — and Do
,” an article appearing in the Journal of Pension Benefits, Gene Griggs and Saad Gul examine what the phenomenon portends and the steps that can lessen, of not obviate, such electronic trespass.
Griggs and Gul don’t mince words about what’s at stake. “This personal information is often sufficient for someone to steal an employee’s identity,” they say of the effect on an individual. But they also point out that cyber crime has an effect on retirement plans and those who offer them as well, and results in having to face many costs:
- detecting the extent of the breach;
- restoring system integrity;
- penalties arising under state or federal law,
- exposure to civil claims under common law or various state statutes;
- restoring lost plan assets;
- making breach notifications;
- providing post-breach identity-theft protection; and
- damage to an organization’s employee relations and public image.
Griggs and Gul outline steps that have been taken to head off further breaches and warn plan participants when they have occurred. They observe, for instance, that several states have enacted measures requiring notification of breaches and stating and protecting private rights of action.
There is no comprehensive, specific federal law or regulation concerning cybersecurity for retirement plans, Griggs and Gul note. But that is not to say that the federal government has been completely moribund, however:
- Under ERISA, a plan sponsor that distributes plan information electronically is required by DOL Reg. §2520.104b-1(c) to ensure the electronic system used for furnishing the information: (1) results in actually receiving the transmitted information; and (2) protects the confidentiality of personal information related to individual accounts and benefits.
- Under a 2013 presidential executive order, “Improving Critical Infrastructure Cybersecurity,” the federal government led the collaboration between the National Institute of Standards and Technology (NIST) and private-sector industry stakeholders to set voluntary standards and best practices for managing cybersecurity risks to critical infrastructure services. One year later, the NIST published a cybersecurity framework to provide industry standards and best practices to help in managing cybersecurity risks.
- The Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) was enacted to encourage the use of anti-terrorism products, services, and technologies in civilian settings, and includes liability limitations for claims arising out of an act of terrorism where designated or certified technologies have been employed.
In addition, Griggs and Gul observe, the private sector has been active. Industry organizations and associations, they point out, are developing data management standards, resources and tools.
And plan sponsors and fiduciaries need not wait even for all that. Griggs and Gul argue that the critical components of a cybersecurity risk management strategy incorporate three broad categories:
- development and management of a cybersecurity risk report strategy;
- third-party risk management; and
Griggs and Gul remind that there is no such thing as absolute security. “Due to the increasing number and evolving nature of cyberattacks, preventing or eliminating all risk of an attack is not a reasonable goal,” they write. Rather, they argue, plan sponsors and fiduciaries should concentrate on developing a “reasonable ad proportionate response” to the possibility of cyberattacks that would compromise plan information. “Prudent plan sponsors and fiduciaries should develop a cybersecurity risk management strategy appropriate for their benefit plans,” they posit.