“Because that’s where the money is,” was the famous quote fictitiously attributed to Willie Sutton when asked why he robbed banks. Given the trillions of dollars held by employee benefit plans, these plans are prime targets for cybercriminals. Plan participants also are increasingly accessing their plan information business online, but are not always reviewing their account history for accuracy. Plan participants, administrators, and service providers are also prime targets for cybercrime, especially as a result of issues caused by COVID-19. In fact, since the rollout of the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), there has been a dramatic increase in the number of 401(k) plan participants seeking distributions and loans.
Plan sponsors are now faced with the detailed compliance requirements of the Employee Retirement Income Security Act of 1974, as amended (“ERISA”), and cybersecurity laws. Since ERISA pre-dates modern computing, ERISA regulations are silent regarding cybersecurity. Neither the Department of Labor (“DOL”) nor the IRS have issued any formal guidance addressing cybersecurity obligations under ERISA. COVID-19 has resulted in more employees working remotely and further complicated ERISA/cybersecurity related considerations. Regardless, ERISA mandates that plan fiduciaries meet certain standards of conduct.
Understanding who may be considered an ERISA plan fiduciary, including a determination of their fiduciary obligations with respect to a plan, its participants, and beneficiaries, is critical. Plan fiduciaries are always the prime target for potential liability (i.e., including for alleged breach of fiduciary duty). Plan fiduciaries must address data breach matters. So, what can fiduciaries do to minimize their cybersecurity liability? Continue reading to find out…
Who is an ERISA fiduciary?
An ERISA fiduciary (see subsection (21), “29 U.S. Code § 1002. Definitions”) includes any person to the extent such person has discretionary authority or control over plan management or assets. This also extends to plan administration and those who render investment advice for a fee with respect to plan assets. ERISA fiduciaries can include plan sponsors, trustees, plan administrators, third-party administrators, investment advisors, and investment managers.
So, is personal information a plan asset?
While there is no formal guidance as to the applicable fiduciary standards under ERISA with respect to cybersecurity, a plan asset will be determined by the facts and circumstances. While confidential participant data may not be deemed to be a plan asset as it is not property that is capable of being monetized to fund retirement benefits,1 state data breach laws, which may give rise to other fiduciary obligations, may apply. Accordingly, a conservative approach would be to take reasonable actions to protect the plan assets, including participant personal information. Plan account funds are always considered to be plan assets, and ERISA’s fiduciary protections will apply in the event that such account funds are compromised.
So, what obligations does an ERISA fiduciary have with respect to an ERISA-covered employee benefit plan?
Once again, ERISA is very clear regarding what’s required:
“. . . a fiduciary shall discharge his duties with respect to a plan solely in the interest of the participants and beneficiaries, and for the exclusive purpose of (i) providing benefits to participants and their beneficiaries, (ii) defraying reasonable expenses of administering the plan; and (iii) with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
While there’s no formal guidance from the DOL or the IRS regarding plan cybersecurity, in 2015, the ERISA Advisory Council outlined certain cybersecurity obligations for all plan fiduciaries in “Cybersecurity Considerations for Benefit Plans.” In addition, plan fiduciaries should consider industry best practices that would be generally applicable to similar industries, such as financial and healthcare and apply cybersecurity protocols as applicable to their own organizations.
Does this mean we are off the hook under ERISA with respect to Cybersecurity?
So, what should the Plan Committee consider and do?
It is critical that participant data and, if applicable, plan investments be protected from attack. In particular, the Committee must ensure that technical, physical, and administrative safeguards are in place and are designed to protect the confidentiality, integrity, availability, and resiliency of plan assets, and that such safeguards meet the Committee’s legal obligations and industry standards.
Regardless of the Committee’s efforts, a cyber-attack may occur. A key factor in understanding potential liability will be determined by how the Committee responds to and manages any cyber-attack if, as, and when one occurs. It is entirely possible that despite the occurrence of a cyber-attack, the Committee or other responsible fiduciary may not have violated ERISA’s prudence standard and requirement to discharge its duties with respect to an employee benefit plan solely in the interest of participants and beneficiaries.
Several key considerations include:
- Does the Committee have a cyber-risk management strategy and plan to protect participant data and plan investment information, including a comprehensive and clear cybersecurity program?
As part of the risk assessment, the Committee must regularly review the program in light of the sensitivity and nature of the plan’s assets and the risk of loss, as well as the potential liabilities that such loss could create. Minimally, the plan should address preparation, detection, containment, eradication, and recovery, and post-incident review, including lessons learned and revising the plan to account for any shortcomings. As part of its plan, the Committee should consider whether to identify, review, and include any outside service providers, including forensics, PR, notification providers, and counsel as part of the plan. Once an incident occurs, it may be too late to start conducting diligence on the service providers or negotiate favorable contract terms.
- Has the Committee properly inquired to the plan’s applicable third party service providers with respect to their cybersecurity practices and what safeguards have been implemented?
Has the third party’s cybersecurity program been validated and tested? Are the employees, agents, and subcontractors aware of and trained on their obligations? Is there an obligation to report breaches and suspected breaches to the Committee? Is access to the plan’s assets limited?
The Committee should conduct its own diligence on each third party’s data breach response plan and consider whether they align with the Committee’s plan. Any divergence between the two should be identified and addressed. The Committee should consider conducting table-top or simulation exercises with the third party to ensure alignment and that the parties will be able to effectively manage a security incident.
- Does the Committee communicate with participants and beneficiaries regarding cyber-risk attacks and what protocols are in place to minimize the risk of a security breach?
Do the plan and third party service providers have properly trained IT staff to address the cybersecurity risks inherent in the deployment? What protocols are in place for communicating a security risk?
How is access to plan assets managed, including with respect to personal devices and company-owned devices, especially when outside the corporate network? Are devices centrally-managed and controlled, and do they include proper security measures and restrictions? Can access be remotely terminated to wipe any device or user that may compromise the security, integrity, availability, or confidentiality of the plan assets, and in the event that an individual is no longer associated with the plan?
Are individuals required to use strong passwords and multi-factor authentication to help protect against unauthorized access?
Are employees and contractors trained on and kept up to date on the latest cybersecurity risks such as phishing, malware, and clickbait? Have plan participants been notified about good cyber hygiene? Do employees and plan participants know who to reach out to in the event they suspect an incident has occurred, if the plan assets are compromised, or the plan participant or their account was compromised?
Is there a remote work policy in place? Has it been reviewed since COVID-19? Has it been communicated to employees and have they been trained on it?
- What liability reduction measures has the Committee put in place in the event of an attack including fiduciary liability insurance?
Do the Committee and any applicable third parties have an appropriate amount of cybersecurity insurance to cover any losses?
In summary, there’s not a specific section under ERISA entitled “Cybersecurity,” but plan sponsors and fiduciaries need to consider even more protective mechanisms with respect to plan assets and data to prevent losses and potential liability.
1 See Divane v. Northwestern. Univ., No. 16 C 8157, 2018 WL 2388118, (N.D. Ill. May 25, 2018), aff’d, No. 18-2569, 2020 WL 1444966 (7th Cir. Mar. 25, 2020