Cybercrime has become commonplace in society and you must be more vigilant than ever when it comes to protecting yourself online. And unfortunately, businesses aren’t immune. In fact, business owners have an even greater responsibility to protect their company’s data from cybercriminals looking to infiltrate their systems. And the responsibilities don’t stop there. Plan administrators and other retirement plan fiduciaries in particular are held to an even higher standard, which means that if you haven’t already, now is the time to understand your obligation to protect the participant and beneficiary data to which you and your plan service providers have access.
Your Responsibility to Keep PII On Lockdown
From Social Security numbers and dates of birth, to addresses and bank account information – also known as personal identifiable information or PII – you are responsible for managing an incredible amount of confidential participant and beneficiary information. And, while cybersecurity may have not been the focus at the time of implementation, under the Employee Retirement Income Security Act of 1974 (ERISA), it’s your job to act in the best interest of participants and adhere to a standard of care in which you’re considered to be a “prudent expert.” Therefore, it’s not unreasonable to consider the protection of PII, whether in paper or electronic format, as part of your fiduciary duty. Failing to meet this responsibility could result in you being held personally liable for a breach of fiduciary responsibility if a cybercriminal were to infiltrate your network and gain access to confidential data. Therefore, you are required to do everything in your power to maintain top-notch data security practices.
Trust Nobody
The unfortunate truth is that even though your cybersecurity efforts may be second to none, if a third-party vendor has access to your company’s network or data is being shared with a third-party, such as a plan service provider, your safety ultimately hinges on the effectiveness of their controls. In a recent cybersecurity seminar, this was explained as owning a house (your business) with an attached garage (PII) that’s situated right next to a busy highway with traffic constantly moving at a very fast pace (cyberspace). Each time you open your garage door (or access cyberspace), even just a little, you run the risk of allowing anything from that busy highway to access your garage – and, once they have gained access to your garage, there are few controls in place to prevent them from entering your house.
As a fiduciary to your company’s retirement plan, it’s your job to know what your service providers are doing to offer protection from cybercrime. An effective way to adhere to this responsibility, according to the Pillsbury Law Firm, is to maintain a cyber risk management strategy that allows you to:
- Thoroughly examine third-party administrators and vendors.
- Implement and periodically review contextual protections and insurance requirements in arrangements with TPAs.
- Periodically monitor the TPAs’ cybersecurity compliance and related risks.
- Consider and, if appropriate, utilize the SAFETY Act and purchase cyber and privacy insurance.
A great way to learn about your service providers’ systems of security while identifying potential risks is to ask the following questions:
- Do you have a cybersecurity program in place?
- If so, who is responsible for overseeing, implementing and enforcing the program?
- How would you inform customers of a cybersecurity threat if one were to occur?
- Do you regularly review and rate your risk level for potential cyberattacks?
- What controls have you established to protect sensitive data?
- What is your ability to respond to potential threats to this data?
What are you doing to ensure that the data you collect from plan participants and beneficiaries is secure? Is it enough? Email Rea & Associates to learn more.
By Darlene Finzer, CPA, QKA, CSA (New Philadelphia office)
Check out these articles to learn more about the importance of guarding against a data breach: