[BreachExchange] The Time to Develop a Benefit Plan Cybersecurity Policy Is Now!

Mon Jun 4 19:40:40 EDT 2018

https://www.natlawreview.com/article/time-to-develop-
benefit-plan-cybersecurity-policy-now

There is widespread concern for the security of the employee data that is
collected, transmitted, and stored with regard to employee benefit plans
and for the security of the assets in participant accounts. Further, the
array of technological tools that have emerged to aid in the administration
and delivery of employee benefits continues to grow and fuels further
concern.

Retirement industry groups such as the Spark Institute and the Financial
Services Information Sharing and Analysis Center recently joined forces to
establish the Retirement Industry Council to share information about new
data security threats and strategies for improving security in the
retirement market. Plan sponsors and fiduciaries must be cognizant of these
developments and do their part to ensure that they have controls in place
to prevent security breaches of plan participant data and assets, and that
they have addressed these considerations with service providers. Although
there is no clear fiduciary mandate under the Employee Retirement Income
Security Act of 1974 (“ERISA”) with regard to cybersecurity, plan
fiduciaries do have a duty to carry out their responsibilities prudently
and in the best interests of plan participants and beneficiaries. Employers
that take the time to develop a benefit plan cybersecurity policy
(“Policy”) will be well positioned to demonstrate prudence and diligence in
these efforts, and prepared in the event of a data breach.

At a minimum, consider taking the following actions, which are by no means
exhaustive:

Assemble a qualified team. The team may include individuals from HR, IT,
legal, compliance, risk management, and any organizational cybersecurity
leaders. Make sure that the team defines its protocols around data
collection, processing and storage, encryption, outsourcing, areas of risk,
and breach notification and response, and ensure that its protocols are
properly executed and updated in compliance with applicable laws.
Designated plan fiduciaries should also provide input and adopt the Policy
as part of its fiduciary best practices. If your organization does not have
adequate in-house resources to develop a Policy, obtain qualified outside
assistance.

Identify the data. Define the types of data that are at issue, and set
parameters regarding their maintenance and security. Employee benefit plans
store extensive personally identifiable information (“PII”) for
participants and beneficiaries, such as Social Security numbers, addresses,
dates of birth, and financial information. Such information may be accessed
by various personnel and service providers, which makes it vulnerable to
data breaches. Further, depending on the type of benefit plan program,
privacy and security may require vetting through different channels. For
example, the use or disclosure of protected health information (“PHI”) will
need to comply with Health Insurance Portability and Accountability Act of
1996 (“HIPAA”) privacy and security policies (and electronic transmission
of health information will need to comply with the Health Information
Technology for Economic and Clinical Health (“HITECH”) Act of 2009). This
can become further complicated when participants use health-tracking
wearable tools, which interact with health plans—the plan may need a
business associate agreement with cloud or storage providers receiving
PHI.  With a retirement investment advice tool, plan fiduciaries should
undertake due diligence of its privacy and security measures to protect PII.

Train employees. Ensure that all personnel who have access to employee data
are properly trained in safeguarding it, including securing the
transmission of any data to third-party service providers. Designate
individuals to respond to any benefits-related data breach and follow
procedures for reporting breaches through the appropriate channels of the
organization. Properly vet internal personnel handling this data, and take
measures to protect against security breaches from within the company.

Develop additional standards for selecting and monitoring service
providers. Establish cybersecurity guidelines for engaging, monitoring, and
renewing service providers, such as confirmation of their cybersecurity
program and certifications, details regarding how they encrypt and protect
data, their breach notification procedures, and a review of Service
Organization Control reports regarding their privacy and security controls,
levels of insurance, and scope of their assumption of liabilities.
Understand whether the service provider utilizes agents or subcontractors
to perform the services and the chain of security measures. Establish rules
for any IT security review of service provider systems, including requests
for penetration tests to detect security risks. Address data privacy and
security, breach notification procedures, liability, and indemnification
provisions in service agreements in accordance with the standards of the
organization’s Policy.

Address data interactions. Understand how data is accessed by participants
and third parties, such as through online access or requests for retirement
account distributions or transfers. If not already doing so, request that
the service provider utilize enhanced measures such as two- or even
three-step authentication for participants to access to the information.
Consider having the service providers generate and issue more complex
usernames and passwords, as participants frequently use the same passwords
and usernames across different websites. Consider setting up alerts for
unusual behavior. Also, educate employees on the steps they can take to
protect their benefit plan information.

Review security of mobile apps. Many new mobile apps allow plan
participants to check account balances, contributions, and investment
changes; request loans or distributions; and receive alerts and educational
information. Apps also track financial and physical wellness, and collect
and convey such information to benefit plans. Despite their convenience,
however, the use of mobile apps provides yet another opportunity for data
breaches or the actual theft of assets and benefit payments. Make sure that
the Policy sets forth the protocols that should be followed when
introducing apps into any benefits program.

Cybersecurity insurance. In addition to errors and omissions and fiduciary
liability insurance policies, cybersecurity insurance has emerged in recent
years and can offer various types of coverage, including coverage for
certain disaster recovery and response assistance that can be triggered by
a benefit plan upon a breach. Assess existing coverages to ascertain how
cybersecurity insurance can fit with your employee benefits needs.

Conclusion

It is time to develop a prudent benefit plan cybersecurity policy that will
enable employers and plan fiduciaries to face challenges head-on and reduce
potential liabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180604/264e1298/attachment.html>