Participant data and financial accounts comprise some of the most sensitive and potentially vulnerable information under a company’s care. These highly valuable assets can be an attractive target for cybercriminals and therefore present considerable security risk. Breaches to this information can be devastating to plan participants and to the reputation of the organization.
For plan sponsors, ensuring protections around participant data and investment assets is a key fiduciary responsibility. In fact, as law firm Hodgson Russ noted recently, “The causation standard under Section 409(a) of ERISA is an issue that could lead to more litigation as cyberattacks on employee benefit plans increase.” The provision states that plan fiduciaries who breach their fiduciary responsibilities are personally liable for any losses that result from the breach. The law firm continues: “Outside of the ERISA context, however, courts have looked at similar questions … [and] found that proximate cause was sufficiently alleged when a complaint contended that the defendant’s failure to establish industry-standard information security safeguards was the proximate cause of the stolen personal information.”
Sponsors should consider their potential exposure under Section 409(a), in the event of a failure to adhere to a prudent process for mitigating risk (upholding the higher prudent man standard). Earlier this year, the U.S. Department of Labor (DOL) issued guidance to plan sponsors, plan fiduciaries, recordkeepers and plan participants, offering best practices for maintaining cybersecurity. The guidance is structured along three main areas of focus: service provider selection, establishment of a cybersecurity program and participant protection.
Hiring a Provider
Per the DOL, plan sponsors should perform a series of due diligence checks prior to engaging a provider. The department’s advice includes inquiring about the provider’s information security standards, practices and policies, and audit results, as well as comparing them to the industry standards adopted by other financial institutions. The DOL also recommends examining the provider’s track record in the industry — including a public records search of information security incidents and litigation related to its services — and asking about the level of security it has met and implemented, how it has responded to past security breaches and whether it carries insurance that would cover losses due to a cybersecurity incident.
Implementing a Cybersecurity Program
For establishing and maintaining an effective program, the DOL points to best practices prepared by the Employee Benefits Security Administration (EBSA). The agency’s advice includes having strong access control procedures as well as an effective business resiliency program addressing business continuity, disaster recovery and incident response. It also recommends conducting periodical cybersecurity awareness training and an annual third-party assessment of security controls.
Because participants and beneficiaries can fall directly within cybercriminals’ attack vector, DOL’s guidance also offers tips to retirement account holders to help reduce the risk of fraud and loss. For example, the DOL advises that participants routinely monitor their online account, create strong passwords and use multi-factor authentication. Other recommended precautions include signing up for account activity notifications and exercising caution with regard to use of free, publicly available Wi-Fi networks.
Defending Against Cyberthreats
Cybersecurity breaches have become increasingly prevalent in the modern world and have added another layer of complexity for plan sponsors. Given the current regulatory and legal climate, it's more important than ever to stay abreast of changes in a dynamic risk landscape — and partner with an advisor and service providers who can help mitigate the risks and keep plan participants’ data and assets safe from cyberthreats.
To view the full DOL guidance, visit the department’s website [https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity]
MCF Advisors is available to assist Plan Sponsors in reviewing your retirement providers cybersecurity programs and best practices. Please contact you Plan Consultant with any questions or to schedule a meeting.
IMPORTANT DISCLOSURE INFORMATION
MCF Advisors, LLC (“MCF”) is an SEC-registered investment adviser. Please remember that past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by MCF), or any non-investment related content, made reference to directly or indirectly in this presentation will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. Due to various factors, including changing market conditions and/or applicable laws, the content may no longer be reflective of current opinions or positions. Moreover, you should not assume that any discussion or information contained in this presentation serves as the receipt of, or as a substitute for, personalized investment advice from MCF. To the extent that a reader has any questions regarding the applicability of any specific issue discussed herein to his/her/its individual situation, he/she/it is encouraged to consult with the professional advisor of his/her/its choosing. MCF is neither a law firm nor a certified public accounting firm and no portion of the newsletter content should be construed as legal or accounting advice. A copy of MCF’s current written disclosure statement discussing our advisory services and fees is available upon request. If you are an MCF client, please remember to contact MCF in writing, if there are any changes in your personal/financial situation or investment objectives for the purpose of reviewing / evaluating / revising our previous recommendations and/or services. Please click here to review our full disclosure.