Alert
Alert
04.19.16
This alert also was published as a bylined article on Law360 on June 3, 2016.
The ERISA Advisory Council1 recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes, among other actions, the implementation and periodic review of contractual protections in arrangements with their plans’ TPAs.
This advisory is the second in a series of advisories dedicated to understanding cybersecurity issues.2
Contractual Landscape
Most contracts prepared by TPAs for recordkeeping and related services do not provide adequate contractual protections relating to data security. Typically, the TPA’s form contract contains minimal or no protections and, in some cases, there are more obligations imposed on the plan sponsor relating to data security (e.g., protection of personal identification numbers of plan participants) than on the TPA. Indeed, a literal reading of the general indemnification provisions of some form contracts would require the plan sponsor to indemnify the TPA against losses arising from a cybersecurity breach on the TPA’s systems in the absence of gross negligence or willful misconduct by the TPA.
This is not surprising. Many of the contract forms were developed many years ago before cybersecurity issues attracted significant attention. While TPAs update their forms from time-to-time, it is not in their interest to offer robust contractual commitments in this area. As a result, it is incumbent on plan sponsors to raise the issue with their TPAs and propose appropriate contractual protections.
Key Contractual Protections
We recommend that plan sponsors and/or plan administrators seek the contractual protections set forth below. The types of contractual protections can be broken down into the following four categories: (i) protection of data, (ii) restrictions on the use and location of data, (iii) responses to actual or threatened cybersecurity breaches and (iv) liability and risk allocation.
Data Protection Safeguards
The contract should require the TPA to commit to maintain appropriate safeguards for plan participant data. Typically, these commitments include some combination of the following:
With possible exceptions for certain large transactions, plan sponsors and/or plan administrators should not expect TPAs to agree to comply with the cybersecurity policies of the plan sponsor and/or plan administrator. Recordkeeping and similar services provided by TPAs are “one-to-many” solutions—that is, from a data security standpoint, the solution is generally the same for each client. Plan sponsors and/or plan administrators will need to conduct due diligence of the TPA’s cybersecurity practices and procedures to provide a level of comfort that plan participant data is appropriately protected.
Read more: Negotiating Cybersecurity Contractual Protections for Retirement Plans