Honesty is the best policy, but do you have a robust policy to keep your retirement plan safe from those who believe dishonesty is the better way to go? In particular, cyberthieves?
The “2020 Cyber Security Risk Report” by Aon finds that “organizations often have a false sense of confidence regarding data security, particularly when it comes to risks potentially posed by third-party service providers.” The ever-growing magnitude of the threat, and associated liability for plan fiduciaries, requires a systematic approach to managing this exposure.
A variety of bad things can happen to qualified plans — including theft of participant assets. When ERISA litigation results, judges look to whether plan fiduciaries exercised “procedural prudence” in safeguarding their participants’ interests.
Procedural prudence governs all 401(k) plans and requires plan fiduciaries to exercise their authority “with the care, skill, prudence and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.”
Establishing and following a comprehensive cyber risk policy can help demonstrate procedural prudence. This, in turn, can reduce the chances of your plan becoming a cybercrime scene.
Your first step in establishing (or updating) your policy is to assemble a team to take on the task with representatives from key departments: HR (or benefits), IT, finance and risk management. In small organizations, some team members may wear multiple hats. Consider gathering input from external experts, including legal counsel.
The team should begin by scouring your internal procedures and technology safeguards for gaps. This means reviewing the cybersecurity procedures of your plan vendors as well. Review who has access to sensitive plan data, and how it’s encrypted, stored and transmitted. Look at who handles sensitive data and how they’re trained.
Next, review how you train employees to detect and avoid phishing scams that can open the door to cyberthieves. Even if you have a cybercrime prevention policy on the books, if you haven’t reviewed it lately, now might be a good time to do so.
Be sure your business liability insurance includes cybertheft protection. The policy application should have included questions about your practices that the underwriter would need answered to assess whether to write a policy and set your premiums. Those questions can help guide your search for security gaps, including any that may have cropped up after you bought the insurance coverage.
But reviewing your own insurance policy isn’t enough. When examining (or re-examining) the cybersecurity tools and practices of your plan’s external recordkeeper and administrator, check their cybertheft insurance policies as well.
If you don’t have a comprehensive cybersecurity checklist, a quick Internet search will lead you to many examples. Hiring a cybersecurity consultant for a focused review might be in order if you’re not fully confident that you’ve pinpointed all your biggest exposures. This would be an excellent demonstration of “procedural prudence.”
The foundation of a cybercrime risk management policy is the set of best practices you identify as the steps to minimize your risk. It can cover topics such as:
- Basic procedures required of people whose roles put them in a position to prevent a server breach,
- Technical standards for cybersecurity systems,
- Training requirements and procedures,
- Insurance coverage, and
- A schedule for reviewing and updating the policy in the future.
After drafting your cybersecurity policy, have it reviewed by appropriate experts before communicating it to employees. Be sure that everyone who needs to understand and abide by the policy signs a written statement to this effect. As new people come on board, bring the policy to their attention and ask them to sign a statement as well.
Stay ahead of problems
Be sure to ask your plan vendors and recordkeepers if they have a service organization control report, known as a SOC 2 report, which addresses cybersecurity controls. It’s not enough to assume that your plan vendors have everything under control. If they don’t, you could be on the hook, as well as them. And if the cybersecurity problem lies with your own systems, your liability is even more clear.