Cybersecurity continues to be an important fiduciary responsibility as the threat for security breaches grows with fraud, hacking or phishing schemes. During this COVID-19 pandemic, cybersecurity for your ERISA retirement and welfare benefit plans becomes more important as plan participants work from home and access information remotely. When plan fiduciaries are working with outside service providers that access and use confidential participant data, they may wish to consider the following questions that were part of an ERISA Advisory Council Report issued a few years ago.
- Does the service provider have a comprehensive and understandable cybersecurity program?
- What are the elements of the service provider’s cybersecurity program?
- How will the plan(s) data be maintained and protected?
- Will the data be encrypted at rest, in transit and on devices, and is the encryption automated (rather than manual)?
- Will the service provider assume liability for breaches?
- Will the service provider stipulate to permitted uses and restrictions on data use?
- What are the service provider’s protocols for notifying plan management in the case of a breach and are the protocols satisfactory?
- Will the service provider agree to regular reports and monitoring and what will they include?
- Does the service provider regularly submit to voluntary external reviews of their controls (such as SOC reports or a similar report or certification)?