Alert
02.23.16
This alert also was published as a bylined article in Law360 on March 15, 2016.
Retirement plan sponsors face ever-evolving cyber-related threats to plan assets and participant personal information. To combat such threats, plan sponsors should proactively assess the third-party service providers’ ability to detect, prevent and respond to cyberattacks against the retirement plan. In order to minimize a retirement plan’s overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers’ cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyberattack.
This advisory is the first in a series of advisories dedicated to understanding cybersecurity issues affecting retirement plans.
Cyber Risk Management Strategy
Due to the increasing sophistication and often opaque nature of cyber threats and attacks, it is virtually impossible to develop and implement a cyber risk elimination strategy. Instead, retirement plan sponsors should focus on developing and implementing a comprehensive cyber risk management strategy.
An effective cyber risk management strategy requires a retirement plan sponsor to:
Due Diligence of TPAs
Many TPAs are affiliated with mutual funds, banks or insurance companies that are required to comply with extensive regulations regarding privacy and security of data in the ordinary course of their business, and at least some of these financial institutions have required that their affiliated TPAs comply with these regulations, even though the regulations may not require such compliance. However, there are a number of other TPAs who are not affiliated with financial institutions, e.g., consulting and actuarial companies. In the absence of a TPA's affiliation with a financial institution, no comprehensive regulatory framework exists that governs the cybersecurity protocols that TPAs of retirement plans must follow. As a first step, it is useful to know what regulatory landscape the TPA is subject to and, accordingly, the extent to which the TPA is already complying with a host of privacy and security laws. In addition, it is important to identify what operations impacting the retirement plan are handled offshore and may be subject to a lesser or more stringent level of scrutiny.
It is critical that a retirement plan sponsor take affirmative measures to vet its TPA’s cybersecurity program. As part of this exercise, consider the following:
Download: An Overview of Cybersecurity Issues Affecting Retirement Plans