Blog

Fiduciary Duty in the Digital Age: Cybersecurity Best Practices for ERISA Plans

Cybercriminals look for two things when seeking a victim—access and opportunity. ERISA retirement plans offer both. Cybercriminals exploit weaknesses in systems, software, or human behavior to find opportunities for easy access (like compromised credentials) and steal information. They maximize their chances of success by combining these vulnerabilities. The digital nature of plan administration and the reliance on third-party service providers create ample access given the broad attack surface.  

Most cybercriminals are financially motivated and seek the greatest financial gain. Retirement and health and welfare plans hold both substantial amounts of money and participants' personal information within their systems, including names, Social Security numbers, health information, and financial account details. Therefore, these plans are enticing targets for cybercriminals.  

Close up programmer man hand typing on keyboard laptop for register data system

What Does a Cyberattack on a Retirement or Health Plan Look Like? 

One of the most devastating cyberattacks that affected plans arose out of the MOVEit series of attacks. MOVEit is a file transfer application that became a target for cybercriminals, compromising retirement systems across at least 10 states. File-transfer applications like MOVEit are used ubiquitously in organizations in every industry. File-transfer applications are also attractive attack vectors because of the scope opportunity in the use the records moving across them contain a volume of high-value data cyber criminals can use for extortion or potential corporate espionage. Public pension systems like the California Public Employees' Retirement System and the California State Teachers' Retirement System were two of the largest plans impacted. 

The cyber criminals responsible for the attack were identified as Russian ransomware gang Clop, exploiting vulnerabilities in the MOVEit file transfer application used by Pension Benefit Information LLC (PBI) and other vendors to securely transfer encrypted files. PBI is widely used by retirement plan record keepers and others in the industry to provide end-to-end encryption services and conduct death audits to identify deceased participants. 

Clop used a zero-day exploit, an unknown vulnerability in the software that was either discovered by the gang or, more likely, purchased in a dark web forum to access the MOVEit application and therefore the plans network. After gaining access to sensitive documents and exfiltrating data in large volumes, it then demanded payment to prevent the criminals from releasing the files to the public. 

Together, these breaches affected nearly 1.2 million participants and beneficiaries. Additionally, major record keepers were also impacted, compromising data for millions of retirement account holders.  

What Are the Cyber Regulatory Requirements for Plans? 

The US Department of Labor (DOL) recognizes the significant cyber risk to pension plans and health and welfare plans and recently reiterated that plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. In 2021, the DOL announced its first cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of 1974 (ERISA) in response to the growing cyber threat to commercial entities. On September 6, 2024, the DOL reminded ERISA plan fiduciaries that it considers cybersecurity to be an area of “great concern” and emphasized that it continues to investigate potential cybersecurity-related ERISA violations. The DOL released guidance updating its 2021 cybersecurity sub-regulatory guidance and, most significantly, clarifies that the 2024 updates apply to all types of ERISA plans, including health and welfare plans.  

In light of the clear message from the DOL, fiduciaries and service providers to ERISA plans that have access to data and/or assets should evaluate the plan’s cybersecurity posture, such as through a cybersecurity assessment, adoption of a cybersecurity policy, or through other improvements to the cybersecurity and/or monitoring operations.

For group health plans, it is important to note that the development of policies and procedures must also adhere to the requirements under the HIPAA Privacy and Security Rules. 

Can a Cybersecurity Failure Be Considered a Breach of Fiduciary Duty? 

The short answer is yes. A breach of fiduciary duty in the context of ERISA and cybersecurity occurs when a plan fiduciary, such as a plan administrator or trustee, fails to act in the best interests of plan participants by neglecting to protect plan assets and participant data from cyber threats. But the obligation is broad, and it can include failing to implement adequate cybersecurity measures, respond to data breaches, or adequately manage cybersecurity risks.  

Fiduciaries can shield plan participants from identity theft, hacking, and data breaches by adhering to robust cybersecurity practices, conducting regular risk assessments, and following DOL-recommended guidelines. 

With enhanced cybersecurity measures, including taking proactive steps to ensure the safety and integrity of plan participants’ hard-earned assets in an increasingly digital world, plan fiduciaries can mitigate the risk of personal liability. 

What Are Some Non-Negotiables in a Robust Cybersecurity Posture for a Plan? 

In the context of the DOL guidance, a robust cybersecurity posture requires several non-negotiable elements. These include: 

  • Formal cybersecurity programs 
  • Risk assessments 
  • Third-party audits 
  • Strong access controls 
  • Proactive measures like patch management and incident response planning 

These are crucial for protecting sensitive data and complying with ERISA guidelines. 

Additionally, employee training, vendor management, and procuring a comprehensive cyber insurance policy are essential for mitigating risks.  

How Do We Ensure Our Third-Party Vendors Are Good Stewards of Plan Participant Information? 

Third parties that hold, access, or process plan participants' sensitive information present cybersecurity risks, as a breach can threaten both the participants' information as well as the network as a whole. The foundational instrument in a strong third-party risk management program is the contract, which should include the right to periodic risk assessments, proactive monitoring, and issues management. 

Contracts

Plans can use the contracting process to incorporate clauses, such as requiring third parties to implement key cybersecurity controls, into legally binding agreements. Management should ensure that contracts with third parties reflect the same level of cybersecurity protection expected within the plan, including contractual provisions such as requiring phishing-resistant multifactor authentication, data classification and encryption, intrusion detection, and independent control reviews. 

Common provisions include: 

  • Requiring detailed reports on any internal monitoring performed by the third party (i.e., ongoing audits) 
  • Identifying a maximum timeline to report a data breach from the date of discovery 
  • Maintaining a cybersecurity program and policy 
  • Updating and testing the business continuity plan 
  • Encrypting all critical data 

An often-overlooked element is the insurance requirements. Requiring cyber insurance with adequate limits as well as an errors and omissions policy that would respond to a failure to safeguard data is necessary.  

Read the blog: Cyber 101: Understand the Basics of Cyber Liability Insurance

Risk Assessments 

Plans should develop a comprehensive risk assessment process that measures the level of risk presented by each third party. This plan embodies the classic business management wisdom that if “you don’t measure it, you can’t manage it.” 

Some key considerations include: 

  • How the third party connects to the plan 
  • The associated level of cyber risk for each connection method 
  • What plan resources and information are accessible 
  • Whether the third party allows employees to access plan data while working remotely 
  • Any prior history of breaches

An effective risk assessment process also includes consultation with internal or external subject matter experts and, if possible, onsite audits. Management can leverage the contract to ensure plan administrators get all the information and reports promised in a timely manner. 

Proactive Monitoring 

An additional aspect of strong third-party risk management is a robust oversight program that involves risk assessments, coupled with appropriately frequent monitoring between risk assessments to ensure the contract terms are fulfilled. Active monitoring between risk assessments assists in evaluating the day-to-day cybersecurity posture of third parties. 

Monitoring aims to address key questions about the data that plans share with third parties: 

  • Who has access to the data? 
  • What type and volume of data are being shared? 
  • How is the information being shared? 
  • Where is the data stored? 
  • Is data at rest encrypted? 

Issues Management

A well-developed issues management process is a key aspect of strong third-party risk management. Certain third-party technology issues, such as control deficiencies or audit findings to validate the effectiveness of controls and demonstrate their operation over time, like a SOC 2 Type 2 report, are inherently more complex to remediate, which further highlights the importance of a well-developed issues management process. Any issues or concerns identified during the third-party risk management review process should include information such as a description of the issue, the issue owner, the risk rating, the expected remediation timeline with an action plan, and any compensating controls. If the third party cannot or will not resolve the issue, the plan administrator will need to take appropriate next steps, which can include terminating the relationship and hiring a new third party.

Other Considerations 

Continuous Monitoring Imperative: Traditional point-in-time assessments are important, but they’re trending towards not being enough. Organizations should consider looking into a longer-term investment, specifically of real-time monitoring tools and security ratings to continuously assess vendor cybersecurity postures—not just at onboarding and or at annual check-ins. 

Extended Supply Chain Dependencies: Risks are rarely limited to direct vendors. Second- and nth-party relationships, such as subcontractors and service providers, can and are introducing vulnerabilities. Effective risk management requires visibility and control across the entire supply chain and is controllable via the contract. 

What Should a Plan Sponsor or Its Fiduciaries Consider When Reviewing Its Cyber Insurance Policy? 

When reviewing a cyber insurance policy, plan sponsors and fiduciaries can: 

  • Review the respective crime, fiduciary, and cyber policies and ensure they have adequate limits and coverages to respond to a cyber incident impacting the plan.  
  • Ensure adequate coverage for e-crime and social engineering. Social engineering/e-crime coverage in many cyber policies is limited, with insurers frequently not offering full limits or narrowing coverage. We recommend reviewing the coverage grant and any available commercial crime policy to determine if the limits and coverages meet the needs of the organization.   
  • Ensure the cyber policy contemplates coverage for more than the organization’s physical network. It should also affirmatively cover data that is managed by a third party. 
  • Ensure that there is not an overly broad ERISA exclusion on the cyber policy that could impact coverage. 

Do Plan Sponsors Have to Manage Cybersecurity on Their Own? 

A retirement plan consultant can assist plan sponsors with navigating required due diligence around cybersecurity. These experts bring specialized knowledge of ERISA requirements, industry best practices, and evolving cybersecurity threats. With a consultant's guidance, plan sponsors can meet their fiduciary responsibilities, work to protect participant data, and stay compliant with DOL guidelines. This partnership not only mitigates risks but also allows plan sponsors to focus on their core business while maintaining a strong, secure retirement plan infrastructure. 

 

Share

Authors

Table of Contents