By Nick Jackson
Data breaches, virtual attacks, and digital crime have unfortunately made many headlines in recent months. In early September, researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had left an estimated 1.65 billion Apple products vulnerable to cyber attacks for nearly six months, causing Apple to implement new software updates for all its users.
This is just one example of the lengths digital criminals are willing to go to in order to obtain valuable user information. While many individuals understand the value of protecting their online information, businesses are taking action to protect their information – and that of their employees – online as well.
One area that companies may be overlooking, however, is how their vendors and partners handle cybersecurity. My colleague, Jim Trujillo, recently wrote about the importance of business partnerships. He laid out three essential elements to any successful business relationship: (1) reliability, (2) creativity, and (3) passion. I’d like to add one more to this list: cybersecurity, especially for companies with retirement plans.
From the perspective of a cybercriminal, company-sponsored retirement plans can be a goldmine. Often, these plans hold millions in assets, and contain confidential, personal data of plan participants. This means there is a heightened threat and responsibility for a plan to ensure protection for the company and its participants.
This spring, the DOL provided its first-ever formal cybersecurity guidance. Plan fiduciaries now have a stated reference point on how to be proactive regarding the protection of their plan and the plan’s participants. But how does this connect to plan service providers?
Under ERISA, fiduciaries are responsible for prudently selecting and monitoring all service providers to ensure they keep participant data confidential and plan accounts secure. There are a variety of processes and procedures a business can take in doing so, but below are some best practices to enhance cybersecurity and reduce the risk of cyberattacks committed via your plan’s vendors or providers.
REQUEST THE SERVICE PROVIDER’S SECURITY STANDARDS, PRACTICES, POLICIES, AND AUDIT RESULTS
Your service provider should be able to supply a well-documented process that ensures the protection of data, information, and systems against corrupt online acts. These security standards should address all aspects of cybersecurity protection, including how the service provider:
- Identifies cybersecurity threats;
- Protects against cybersecurity threats;
- Responds to cybersecurity threats; and
- Recovers from cybersecurity threats
REQUEST TO REVIEW THE SERVICE PROVIDER’S INSURANCE POLICY
It may be common knowledge that insurance protects us from loss. Cyber liability insurance, however, has a specific purpose and can be beneficial to all parties of the plan, including the plan provider, its vendors, and its participants. Coverage for cyber liability can include protection of the retirement plan sponsor’s assets, the participants’ assets, and losses from identity theft breaches caused by internal or external threats.
ESTABLISH CLEAR UNDERSTANDING ON THE USE AND SHARING OF CONFIDENTIAL INFORMATION
When hiring any service provider, plan fiduciaries should set distinct standards for the provider to maintain confidential information. According to the DOL, this should include:
- Protecting private or confidential information against unauthorized access, loss, disclosure, modification, or misuse; and
- Preventing the disclosure of confidential information without prior written permission.
CONDUCT ANNUAL CYBERSECURITY RISK ASSESSMENTS BY A THIRD PARTY
According to the DOL, a third-party audit can provide insight into potential cybersecurity weaknesses. Both plan sponsors and their vendors can gain valuable knowledge from the audits such as gaps in technology, data protection regulation, and needed program updates to cover those gaps. The DOL advises employers to document these audits, their findings, and remedial actions taken in response to those findings.
The DOL guidance is a beneficial tool for helping plan fiduciaries boost their cybersecurity protocols, as well as help ensure their service providers are protected against data breaches and cyberattacks.