Joe Adams and Amy Gordon Address Cybersecurity Issues for Employee Benefit and Compensation Plans

Employee Benefits Partners Joe Adams and Amy Gordon spoke at Plan Sponsor Council of America’s (PSCA’s) 2019 National Conference in Tampa on April 30. 

Their panel, titled “Cybersecurity Issues for Employee Benefit and Compensation Plans,” addressed the latest security standards, recent administrative guidance, and the latest product offering designed to address cybersecurity risks affecting employee benefit plans. 

All the panelists acknowledged that:

• There is no comprehensive federal regulatory scheme governing cybersecurity for retirement plans in the United States.
• ERISA is silent on data protection in the form of electronic records.
• U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function.

Many service providers that serve the retirement market are covered by federal rules based on their industry, although plan service providers often cross several different industries, making standard compliance rules difficult.

Joe noted that while there was no overarching guidance, in 2016 the ERISA Advisory Council outlined some basic prudent steps that ERISA plan fiduciaries should take to address these issues, and created its “Cybersecurity Considerations for Benefit Plans” resource. While prevention of a cybersecurity threat is impossible, there are steps that can be taken to limit the threat, including:

• Determining what is reasonable from a commercial perspective and an ERISA perspective for each plan.
• Acknowledging that the cybersecurity risk management strategy cannot be a static checklist.
• The program should include regular reporting and frequent reviews and process updates that are specifically tailored to the plans’ needs.

Joe and Amy offered the following suggestions for plan sponsors to prevent a cyber-breach:

• Inventory of the plan’s data, and consider using, sharing, and maintaining only the minimum amount of data necessary. This applies to the plan’s sponsor data, as well as that used, shared, and maintained by service providers.
• Devise a framework upon which to base a cybersecurity risk management strategy.
• Establish a process that includes implementation, monitoring, testing and updating, reporting, training, controlling access, data retention and/or destruction, and third-party risk management.

Finally, the panel identified steps that could/should be taken with regard to service providers employed by the plan:

• Review applicable contract provisions with service providers, and require vendors to attest that the service provider or vendor has proper procedures in place to protect the plan’s data.
• Monitor the cyber protocols and practices of these providers on an ongoing basis to ensure they are sufficiently robust.
• Consider whether SAFETY Act certifications could fit into their overall cybersecurity risk management strategy
• Consider retaining vendors that have or use SAFETY Act approved processes or procedures

The panel also suggested that plan sponsors should evaluate their insurance coverage/bonding policies to ensure they are covered in the case of a cybersecurity attack and may want to look into purchasing an insurance policy or bond to protect against potential loss to the plan and plan participants.

Joe focuses his practice exclusively on executive compensation and employee benefits. He has significant experience advising clients regarding executive compensation and employee benefits programs, including advising on the impact of mergers, acquisitions, divestitures, and spin-offs on employee benefit plans, executive compensation arrangements, and individual executive employment agreements. Joe is a Fellow of the American College of Employee Benefits Counsel.

Amy focuses her practice on welfare benefits compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, the Internal Revenue Code, the Affordable Care Act (ACA) and its replacement legislation, and related federal and state laws and regulations. Amy is a fellow of the American College of Employee Benefits Counsel. 

For more takeaways from the panel, read this National Association of Plan Advisors (NAPA) summary.