ERISA Fiduciary Obligations Expanded to Include Mitigation of Cybersecurity Risks

ERISA Fiduciary Obligations Expanded to Include Mitigation of Cybersecurity Risks

May 26, 2021

Cyber crime is a growing problem for businesses across industry lines. Complaints of internet crimes reported to the FBI in 2020 totaled 791,790, an increase of 69.4 percent over 2019 numbers.[i] Cybercriminals often focus their efforts on financial accounts, accounting for more than a quarter of all cyber fraud attempts.[ii] For retirement plan sponsors, recordkeepers, plan trustees, and participants in employer-sponsored plans, cyber crime brings with it the risk that fraudsters could gain unauthorized access to retirement plan accounts, as well as uncertainty about who bears responsibility for mitigating such risk.

An April 2021 press release from the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) provided cybersecurity guidance designed to help protect an estimated $9.3 trillion in Americans’ retirement accounts.[iii]

Cybersecurity Program Best Practices

The new guidance from EBSA makes it clear that plan fiduciaries have an obligation to mitigate cybersecurity risks and includes a list of recommended best practices designed to assist fiduciaries in evaluating third-party service providers, including plan recordkeepers and those responsible for systems and data.[iv]

Among other things, plan sponsors and the service providers they engage should have formal, documented cybersecurity programs; conduct annual risk assessments; engage third-party auditors to review security controls; have strong, clearly-defined security roles and protocols; conduct training for personnel; and implement technical controls and procedures including data encryption, disaster recovery, and incidence response.

Guidance for Hiring Third-Party Providers

For many small businesses choosing to sponsor retirement plans for workers, it can be difficult to know how to select service providers for their plans. However, making prudent decisions about third-party providers is key, as plan sponsors are ultimately responsible for ensuring their plans comply with all applicable rules and regulations.[v]

As sensitivity around cybersecurity grows, plan sponsors should ensure the providers they ultimately choose are committed to keeping their plans and participants’ data secure. EBSA’s announcement provided targeted guidance for choosing providers with strong cybersecurity programs and practices.[vi] Recommendations include asking potential providers to disclose their security standards, practices, policies, and audit results; evaluating publicly-available information about past security breaches; considering ethe provider’s cybersecurity insurance coverage, if applicable; ensuring contracts and agreements address information security and data privacy, and more.

Tips for Plan Participants

Even with the strongest cybersecurity measures in place at the plan sponsor and service provider levels, there is still a risk that a plan participant’s actions could unwittingly allow a cybercriminal to gain access to plan accounts and non-public information. Recognizing this, EBSA’s news release included information geared toward individual plan participants.[vii]

These tips and recommendations offer simple, yet effective, ways employees can help protect their retirement accounts. Suggestions for participants include creating strong passwords, using multi-factor authentication, routinely monitoring online participant accounts, updating the employer/plan recordkeeper as personal information changes, using secured Wi-Fi networks, using anti-virus software, and being vigilant to avoid becoming a victim of a phishing attempt.

A Proactive Approach Can Protect Plan Fiduciaries and Participants Alike

By taking cybercrime seriously and adopting a proactive approach to mitigating its risks, employers and plan sponsors can meet their fiduciary duties and help safeguard their workers’ retirement accounts. Contact us to learn more.

 

Important Disclosures:

The opinions voiced in this material are for general information only and are not intended to provide specific advice or recommendations for any individual.

All information is believed to be from reliable sources; however LPL Financial makes no representation as to its completeness or accuracy..

 

[i] https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics

[ii] https://www.forbes.com/sites/zakdoffman/2019/04/29/new-cyber-report-25-of-all-malware-hits-financial-services-card-fraud-up-200/?sh=4d5bec857a47

[iii] https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414

[iv] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf

[v] https://www.dol.gov/sites/dolgov/files/ebsa/about-ebsa/our-activities/resource-center/fact-sheets/tips-for-selecting-and-monitoring-service-providers.pdf

[vi] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf

[vii] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf

LPL Tracking 1-05146018