Did you know that systems and data security fall within a retirement plan fiduciary’s duties? Cybersecurity—or the protection of personally identifiable information (PII)—is integral to a 401(k) plan fiduciary’s responsibility to act in the best interests of participants and beneficiaries.
Cybersecurity is an ERISA fiduciary duty
According to the Employee Retirement Income Security Act of 1974 (ERISA), a fiduciary is obligated to take “appropriate and necessary” steps to protect the safety of participants’ accounts and information, just as they do with plan design, investment selection, and monitoring fees and expenses. To this end, the U.S. Department of Labor (DOL) has provided broad, best-practice guidelines to address fiduciaries’ roles and responsibilities related to cybersecurity, which we’ve summarized below.
Six more steps to refining your cybersecurity approach
Culled from the DOL’s best-practices guidelines, here are six specific actions fiduciaries can consider to satisfy their cybersecurity responsibilities:
- Prudently select and monitor third-party service providers with a process that includes investigating how PII is protected, and document the factors taken into consideration. Request information regarding the providers’ data security systems and policies. Also, review the results of providers’ SOC 2 audits and other industry-recognized certifications.
- Review and, if necessary, amend agreements with service providers to ensure that contractual provisions mandate the protection of plan data and the allocation of liability.
- Consider buying cyber-liability insurance or include cyber provisions in existing liability policies. Policies should cover liability resulting in litigation, as well as the cost of and assistance and resources (such as credit monitoring or technical support) needed to minimize the impact of an actual breach.
- Document, review, and update cybersecurity policies for comprehensiveness. Ensure the ongoing monitoring of any covered service providers and employees with access to plan data while also limiting the amount of data available to only what’s necessary.
- Continue to educate fiduciaries (retaining an expert’s assistance, if necessary) to ensure they’re informed regarding the functionality of the systems, as well as the processes and procedures involved with the maintenance, retention, and protection of PII.
- Educate participants to do their part to protect against cybersecurity issues before they occur—and communicate how to mitigate losses if information is compromised.
In the end, cybersecurity is a fiduciary duty.
As a fundamental principle, 401(k) plan fiduciaries are obligated to address PII under ERISA. The practices outlined here are part of a complete approach to developing and maintaining an appropriate cybersecurity strategy—and for fulfilling this important aspect of your fiduciary obligations.
1 “Cybersecurity Considerations for Benefit Plans,” the DOL’s Advisory Council on Employee Welfare and Pension Benefit Plans, November 2016. 2 This includes knowledge of the cybersecurity protocols themselves, as well as the policies, protections, and guarantees of any involved administrative service providers, recordkeepers, payroll providers, third-party administrators, and financial advisors.
The content of this document is for general information only and is believed to be accurate and reliable as of the posting date but may be subject to change. John Hancock and its representatives do not provide investment, tax, or legal advice. Please consult your own independent advisor as to any investment, tax, or legal statements made herein.
MGTS-P 40226 GE-0484 MGR091919499828