How does your plan protect its data? The answer to this question can vary widely among plans, because there are no federal requirements that directly apply to benefit plans. This lack of guidance leaves plan sponsors and fiduciaries to determine the best way to protect sensitive participant information. The Department of Labor’s 2016 ERISA Advisory Council recently conducted a study examining cybersecurity risks affecting benefit plans and outlined recommendations for establishing and implementing a strategy to safeguard plan data. Here are six aspects to consider when establishing a cybersecurity risk management strategy.
1. Understand Plan Data
Plan sponsors should understand the processes related to how plan data is handled and who handles it. Consider what information needs to be protected, where this information is stored, and who can access it.
2. Establish a Cybersecurity Framework
The components of the framework should address the following questions:
- How will your plan identify risks?
- Once risks are identified, how will your plan protect against these risks?
- How will breaches be detected?
- Once breaches are detected, how will your plan respond?
- Once the breach is controlled, how will your plan recover?
3. Process Considerations
While the risk of a data breach can never be completely eliminated, there are several policies plan sponsors can put in place to reduce a data breach such as:
- Limit access to sensitive information as much as possible to only those employees who need information to perform their job duties.
- Ensure that staff with access to confidential information receive adequate training on cybersecurity risks.
- Go on a “data diet”. Do not collect information for which there is no specific purpose. Delete information when it is no longer needed.
- Establish designated individuals to be responsible for the execution of the cybersecurity framework.
- Evaluate service providers. Plan sponsors should get an understanding of their providers’ security procedures and use this information in their own risk identification process.
4. Customize Your Strategy
Every plan has different risks and the cybersecurity strategy should be customized to fit each plan’s specific environment. In forming its strategy, the plan sponsor should consider the plan’s resources, integration of the strategy with a larger organization, cost, insurance coverage, and industry or governmental certifications.
5. Strike the Right Balance
The plan sponsor should strive to strike the right balance between properly protecting the plan’s data and incurring reasonable expenses in accordance with ERISA guidelines.
6. Compliance With State Law
Some states, including Wisconsin and Minnesota, regulate the disclosure of data breaches to the state and consumer reporting agencies. Become familiar with the requirements to avoid any fines or penalties for late disclosure. Many of these regulations have short time deadlines.
Risk management should be a dynamic strategy that evaluates and responds to risks as they arise. Every plan is unique and it is the responsibility of plan sponsors to determine the strategy that is the most appropriate for their plans. The tactics outlined above provide a basis that plan sponsors and fiduciaries can use to increase the effectiveness of their cybersecurity policies.
If you have any questions on managing cybersecurity risk, please contact a member of the Hawkins Ash CPAs employee benefit plan team for assistance.