An Overview of Cybersecurity Issues Affecting Retirement Plans

This advisory is the first in a series of advisories dedicated to understanding cybersecurity issues affecting retirement plans.

Cyber Risk Management Strategy

Due to the increasing sophistication and often opaque nature of cyber threats and attacks, it is virtually impossible to develop and implement a cyber risk elimination strategy. Instead, retirement plan sponsors should focus on developing and implementing a comprehensive cyber risk management strategy.

An effective cyber risk management strategy requires a retirement plan sponsor to:

• thoroughly diligence its third-party administrators and vendors (TPAs);
• implement and periodically review contractual protections and insurance requirements in arrangements with its TPAs;
• periodically monitor the TPAs’ cybersecurity compliance and related risks, and
• consider and, if appropriate, utilize the SAFETY Act and purchase cyber and privacy insurance.

Due Diligence of TPAs

Many TPAs are affiliated with mutual funds, banks or insurance companies that are required to comply with extensive regulations regarding privacy and security of data in the ordinary course of their business, and at least some of these financial institutions have required that their affiliated TPAs comply with these regulations, even though the regulations may not require such compliance. However, there are a number of other TPAs who are not affiliated with financial institutions, e.g., consulting and actuarial companies. In the absence of a TPA's affiliation with a financial institution, no comprehensive regulatory framework exists that governs the cybersecurity protocols that TPAs of retirement plans must follow. As a first step, it is useful to know what regulatory landscape the TPA is subject to and, accordingly, the extent to which the TPA is already complying with a host of privacy and security laws. In addition, it is important to identify what operations impacting the retirement plan are handled offshore and may be subject to a lesser or more stringent level of scrutiny.

It is critical that a retirement plan sponsor take affirmative measures to vet its TPA’s cybersecurity program. As part of this exercise, consider the following:

• Cybersecurity Assessment Tool. The U.S. Federal Financial Institutions Examination Council issued the Cybersecurity Assessment Tool to provide financial institutions with five criteria to evaluate their cybersecurity profile and determine their level of cybersecurity preparedness. While the assessment is voluntary, asking TPAs who are affiliated with a financial institution for the results of their assessment (if any) may provide a measurable means of assessment.
• Formal Requests. It is recommended that a plan sponsor make a formal request of its TPAs for information regarding their security systems and risks. Examples of questions that should be specifically directed at TPAs include:
  • Does the TPA have a cybersecurity program in place and, if so, does it have an officer who is responsible for overseeing, implementing and enforcing the program?
  • How does the TPA share cybersecurity threat information with its customers?
  • Does the TPA regularly review and rate its risk level for potential or actual cyberattacks?
  • What controls does the TPA have over sensitive data, and what is its ability to respond to potential threats to this data?

Download: An Overview of Cybersecurity Issues Affecting Retirement Plans