[BreachExchange] Are Retirement Plan Fiduciaries Required to Prevent Cyberattacks?

[Audrey McNeil]

http://www.thinkadvisor.com/2016/03/07/are-retirement-plan-fiduciaries-required-to-preven?t=legal-compliance

ERISA doesn’t explicitly require retirement plan fiduciaries to address
cybersecurity, but they may not be off the hook in the event of a breach.
Although a cyberattack in and of itself may not constitute a breach of
fiduciary duties, the lack of a plan to avoid or appropriately respond to
an attack might, considering fiduciaries’ responsibility to act with
prudence.

“Due to the prolific nature of cyberattacks,” a recent white paper pointed
out, “it may be difficult to argue that a prudent man would not consider
and react to cyber-risks.”

The paper, released in late February by Pillsbury Winthrop Shaw Pittman, a
New York City-based law firm that specializes in business and technology
law, noted that it’s “virtually impossible” to eliminate entirely the risk
of a cyberattack, but it is the responsibility of retirement plan sponsors
to manage that risk. The paper urged retirement plan fiduciaries not to
leave the responsibility to protect participant assets and information in
the hands of their third-party administrators.

Fiduciaries should also consider the privacy laws in the state in which
they operate, the paper noted, as “the extent to which ERISA pre-empts
state privacy and data laws is currently being actively litigated.”

The paper outlines the responsibilities plan sponsors have regarding
cybersecurity and offering best practices for developing an effective
strategy.

An effective plan will include thorough due diligence on third-party
administrators; contractual protections and insurance in arrangements with
TPAs, with regular reviews of those contracts; regular review of the TPAs'
cybersecurity compliance and risks; and if appropriate, utilize protections
in the SAFETY Act and purchase specific cybersecurity and privacy insurance.

(The Support Anti-Terrorism by Fostering Effective Technologies Act
provides liability protections for the makers of cybersecurity and
anti-terrorism technologies.)

Although most of a plan sponsor’s partners are affiliated with financial
institutions with strict privacy and security regulations, the authors
noted, some, like consultants or actuarial firms, may not be subject to
such scrutiny. “As a first step, it is useful to know what regulatory
landscape the TPA is subject to and, accordingly, the extent to which the
TPA is already complying with a host of privacy and security laws,” the
paper noted.

The key is that the plan sponsor take “affirmative measures” to vet a TPA’s
cybersecurity protection.

The paper suggested several tools sponsors can use to take those measures.
The Cybersecurity Assessment Tool offered by the U.S. Federal Financial
Institutions Examination Council gives financial firms five criteria by
which to measure their cybersecurity preparedness. They’re not required to
take the assessment, but sponsors should ask their partners that are
affiliated with financial services firms for the results of any assessment.

Sponsors can also directly request specific information from their TPAs,
such as:

- Has the TPA implemented a cybersecurity program? Is there a named officer
responsible for overseeing and enforcing the program?
- How is threat information shared with customers?
- How frequently does the TPA review threat risks?
- What controls exist to protect sensitive data? How does the TPA respond
to potential threats to that data?

The contract between a retirement plan sponsor and its TPAs should include
each party’s commitments, and should spread liability risk evenly.

The TPA should be responsible for maintaining a comprehensive data security
program, according to the paper, that are of course in compliance with any
relevant industry standards and data privacy laws. That includes how data
will be encrypted and how it will be destroyed.

The contract should also put restrictions on how the TPA can access and use
plan and participant information, the security of PINs used by plan
participants and the sponsor.

Of course, the agreement should also outline what the TPA’s obligations and
liabilities are following a security breach, including notifying the
sponsor or plan administrator, remediation after the attack and preserving
evidence.

Pillsbury Winthrop stressed that it’s essential for plan sponsors to assess
their TPAs’ cyber-risk systems throughout the relationship for two reasons.
First, “ongoing assessment ensures that the initial legwork does not go to
waste,” according to the paper. Second, and perhaps more important
considering how quickly technology evolves, “legacy cybersecurity programs
are often the most vulnerable to attacks.” Periodic assessments allow a
sponsor to determine how well their TPAs are working to stay ahead of
cyberthreats.

The paper noted that traditional liability insurance doesn’t necessarily
provide full coverage for cyber-related risks. Consequently, sponsors
should purchase additional cyber and privacy insurance to fill gaps in
coverage. Such coverage can help sponsors with expenses related to crisis
management, remediation and notification, business interruption, regulatory
defense, and fines and penalties, as well as liabilities associated with
network and information security, and communications and media.

Retirement plan sponsors can use the SAFETY Act to their advantage in one
of two ways, according to the paper.

Prior to an attack, the sponsor could have its internal cybersecurity
policies and procedures SAFETY Act-approved, which could limit the scope of
claims that could be made against it in the event of an attack, according
to the paper. Alternatively, the sponsor could require its TPAs to hold
SAFETY Act protections, “as that would allow retirement plan sponsors and
administrators to be dismissed from a broad array of claims alleging
negligence or poor performance attributed to the third-party security
products and services.”

The paper noted that obtaining protections under the SAFETY Act may
constitute evidence that the sponsor’s cybersecurity program was reasonable
and sufficiently met the sponsor’s fiduciary obligation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/1ab52621/attachment-0001.html>