COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Abstract: There have been numerous instances of high-profile cybercrime cases over the past couple of years spurring lively discussions in the ERISA community about the potential threat this type of crime poses to plan assets and personal data of plan participants and beneficiaries.
Source: Truckerhuss.com, June 2017
Abstract: This is the slide deck from a presentation on plan sponsors growing fiduciary responsibilities for cybersecurity given at the SPARK Institute's National Conference, June 1-2, 2017.
Source: Winstead.com, June 2017
Abstract: The SEC published a Risk Alert regarding the "WannaCry" ransomware worm that infected hundreds of thousands of computers in over 150 nations earlier this month. The Alert provides background and resources and additionally highlighted cybersecurity best practices.
Source: Sutherland.com, May 2017
Abstract: There has been a recent spike in attacks on 401k and retirement plans by cyber criminals. A data breach is a disruptive event. For plan fiduciaries, there are several factors that create heightened risk.
Source: Jonesday.com, April 2017
Abstract: Many employers historically were only concerned with privacy and security for health plans under the Health Insurance Portability and Accountability Act and state laws. However, cybersecurity should also be a consideration for every retirement plan fiduciary. To preserve fiduciary protection while making required disclosures electronically, retirement plan fiduciaries should consider whether their duties of loyalty, prudence and to administer the plan for the exclusive benefit of the participants might require them to protect their participants' personal information.
Source: Winstead.com, April 2017
Abstract: Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients' and plan participants' sensitive information, it pervades inter-corporate business functions as well.
Source: Asppa.org, March 2017
Abstract: It's not really new that cybersecurity is a concern for employers. But it shouldn't be ignored, especially in the context of retirement plans, since plan participants' personal and financial information is maintained and shared by multiple parties.
Source: Asppa.org, March 2017
Abstract: Many employers historically were only concerned with privacy and security for health plans under the privacy regulations. However, there are other references to protecting participant information in ERISA and employee information that should not be overlooked. Cybersecurity should be a consideration for every employer and retirement plan fiduciary.
Source: Winstead.com, February 2017
Abstract: One of the most significant challenges that face employee benefit plans is the reliance on service providers to manage daily activities of the plan. As a result, employee benefit plans typically share sensitive employee data and beneficiary and employer information with these service providers. Based upon historical cybersecurity breaches, third parties can be considered the weakest cybersecurity link.
Source: Schneiderdowns.com, February 2017
Abstract: The ERISA Advisory Council on Nov. 10 issued recommendations on actions the DOL can take regarding cybersecurity and making workplace retirement accounts more secure.
Source: Asppa.org, November 2016
Abstract: Defined contribution service providers generally have cybersecurity insurance when they take on recordkeeping and other duties, but DC plan sponsors themselves are more likely to be lacking such coverage. There is no legal requirement for plan sponsors or service providers to have cyber insurance, but it's best practice.
Source: Pionline.com, October 2016
Abstract: Cybersecurity issues are not really unique in defined contribution. Hackers are getting smarter and are getting better at decrypting. DC plans need to get smarter overall in protecting online sites like banking and DC portals. But there are specific issues to defined contribution plans when it comes to cybersecurity.
Source: Pionline.com, October 2016
Abstract: 401k plan fiduciaries have an obligation to secure and keep private the personally identifiable information of plan participants and beneficiaries. Part of this essential task is ensuring that plan service providers take cybersecurity preparedness and plan data protection seriously.
Source: 401khelpcenter.com, October 2016
Abstract: This podcast discusses the evolving world of cyber risk or cyber threats and how they can impact 401k and other employer benefits plans.
Source: 401kfridays.com, October 2016
Abstract: With the increasing threat to organizations from data breaches, HR plays a critical role in helping prevent and minimize the risk from cyber theft. This 21-minute podcast addresses how to identify potential cybersecurity problems, workforce challenges in data protection, and the use of policies, training and employee education that are designed to protect private and sensitive data.
Source: Littler.com, September 2016
Abstract: Recent technological advancements, especially in the area of cybersecurity, have only now become the focus of most ERISA fiduciaries. Due to the increasing frequency and sophistication of cyber-related threats to employee benefit plans, their trustees and third-party plan administrators and the potential financial repercussions, compliance with ERISA fiduciary standards will require implementation of a prudent cyber risk management strategy. This article is dedicated to understanding cybersecurity issues in the context of ERISA benefit programs.
Source: Pillsburylaw.com, September 2016
Abstract: The 2016 ERISA Advisory Council is gathering to study ways to encourage benefit plan sponsors and managers to adopt strategies that minimize the exposure of plan participants' data from cyber-attack. This article touches on what the Council is considering
Source: Gtlaw.com, August 2016
Abstract: As in 2015, the Securities and Exchange Commission Examination Priorities for 2016 identify cybersecurity as an area of "potentially heightened [market-wide] risk."
Source: Ria-compliance-consultants.com, August 2016
Abstract: In an era when costly cyberattacks and data breaches are becoming more common, 401k plan advisers are beginning to scrutinize data-security practices at recordkeeping firms. RK clients also have heightened concerns about securing the personal data of their employees.
Source: Investmentnews.com (registration may be required), July 2016
Abstract: Data breaches are also causing benefit plan administrators and other fiduciaries under ERISA to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401k and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.
Source: Passwordprotectedlaw.com, June 2016
Abstract: Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. Retirement plan fiduciaries must take precautions to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity.
Source: Morganlewis.com, April 2016
Abstract: A recent announcement by the ERISA Advisory Council that it will be focusing on how cyber-related threats affect TPAs is addressed in a recent legal advisory from Pillsbury Law.
Source: Asppa.org, April 2016
Abstract: In order to minimize a retirement plan's overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers' cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyber attack.
Source: Pillsburylaw.com, February 2016
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.