The DOL's ERISA Advisory Council recently issued a report, Cybersecurity Considerations for Benefit Plans, which summarizes its examination of and recommendations regarding cybersecurity considerations as they relate to employee benefit plans.
The report noted that while cybersecurity is a focus area for organizations with regard to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning even though plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the plan administration process. As such, the Council believes benefit plans should be specifically considered when implementing cybersecurity risk management measures, both in safeguarding benefit plan data and assets and when making decisions to select or retain a service provider.
One of the most significant challenges that face employee benefit plans is the reliance on service providers to manage daily activities of the plan. As a result, employee benefit plans typically share sensitive employee data and beneficiary and employer information with these service providers. Based upon historical cybersecurity breaches, third parties can be considered the weakest cybersecurity link. A cybersecurity breach within an employee benefit plan could ultimately result in personal information being compromised.
The Council identified four major areas for effective practices and policies:
- Data management.
- Technology management.
- Service provider management.
- People issues/training.
Every plan is unique and cybersecurity risk management is a process. There is not a “one- size-fits-all” strategy, and plan sponsors, administrators, fiduciaries and other service providers must determine what is reasonable. The Council has created materials for plan sponsors and fiduciaries to utilize when developing a cybersecurity strategy and program.
For the full report Click Here