Fiduciaries' playbook for data breach protection

Organizations should reinvent their cyber risk management logistics to align with the new normal. Plan and pension professionals can take a few fundamental steps that can protect their companies, their departments, and their participants from increasingly sophisticated bad actors.

Assess and reassess: Conduct an examination of your plan's current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment should adhere to independently developed criteria, and a review offers a way to ensure continued improvement. And critically, re-check cyber-vulnerabilities on an ongoing annual basis because cybercriminals are always innovating, and technology is evolving. And for some, regulators may mandate it.
Formal training and policy: Employee benefit plans of all sizes need a cybersecurity policy statement explicitly written to align with the Employee Benefits Security Administration's (EBSA) guidance. In today's fraught data security and compliance environment, official cyber policies have grown to the same importance as investment policy statements. Human error remains the number one reason for cybersecurity incidents. Policy should include the use of multi-factor authentication and mandatory staff training aligned with EBSA's cybersecurity guidance to protect against phishing, social engineering, and password brute-force attacks.
Third-party solution provider policy and standards: Pension and benefit plan committees — or the CISO in larger companies — should implement strict cybersecurity guidelines for hiring, monitoring, and re-hiring tech vendors of retirement plan services, health care plans, payroll operations, and any other service provider that takes possession of personally identifiable information. And now, on the heels of the recently enacted new Securities and Exchange Commission cybersecurity reporting rules, public company CISOs now bear responsibility and liability for incident reporting.
Cyber breach response plan: This is the plan you hope to never have to deploy. Following an attack, aftershocks can ripple for decades if a company is not properly prepared. Planning prevents incidents from spiraling into disasters and is one of the best practices specifically recommended by EBSA. The incident response costs can be detrimental or catastrophic to the business' bottom line, from intrusion-related restoration costs and legal and forensic service costs to compliance expenses related to notification laws, which vary state-to-state, requiring that the affected individuals be formally notified. The breach response plan will enable a plan sponsor to immediately engage legal counsel as well as to employ cyber insurance and covered services, assemble a cross functional team; and perform an analysis of root causes.

Plan sponsors must protect themselves too

Plan managers are doing well if they are communicating with their CISOs or IT managers in checking the data security assessments, response plans, policies, and training procedures – including for third-party cloud vendors and partners. They are doing better if they spearhead acquisition of stout cybersecurity liability insurance, which would defend the insured organization from covered allegations as well as pay settlements/judgments on behalf of the insured organization for allegations of "network security liability" or "breach of privacy liability", or both. Although it's not automatic, some cyber insurance policies will also specifically cover the insured organizations' employee benefit plans, in addition to covering the insured organization and insured persons. Some plan sponsors may think if they outsource administration, oversight, or supervision of employee benefit plans, that they're also outsourcing the liability. The liability exposure in that instance is the decision to utilize third party services.

Instant Insights /

The MOVEit data breach: A wake-up call for all retirement plan sponsors

More From HR Executive

Related Stories

Recommended For You