Developing A Cybersecurity Policy For ERISA Plans

Trillions of dollars are held in benefit plans across the country, and plan records contain sensitive personal data such as participant names, addresses, ages, marital status, and social security numbers.  As a result, benefit plans are an attractive target for a host of bad actors.  If the security of plan records is compromised, a participant could be the victim of identity theft or fraud, or have their retirement savings or insurance benefits stolen by a cybercriminal.

In light of the potential for cyberattacks on benefit plans, in 2021, the U.S. Department of Labor (“DOL”) issued cybersecurity recommendations for benefit plans governed by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”).  These recommendations are outlined in our previous LEGALcurrents, available here.  Since then, high-profile data breaches such as the MOVEit breach in 2023, along with increased litigation seeking to hold plan vendors and fiduciaries responsible for cyberfraud losses, have led to heightened concerns for both employers and regulators, and increased focus on cybersecurity during DOL audits.  Since plans often have unique requirements for data management, plan fiduciaries should work closely with the employer’s data security team to include appropriate protections in plan contracts and to be sure that prudent operational controls are in place both at the employer and at plan vendors.

In this regard, the DOL has indicated that plan fiduciaries should develop and adopt a cybersecurity policy with respect to the plan or plans for which they are responsible, even if the employer has a general policy already in place.  While plan-specific cybersecurity policies may incorporate an employer’s business-wide cybersecurity practices and generally should be designed to operate harmoniously with the employer’s normal processes so long as those processes are consistent with ERISA and the plan’s particular needs, having a plan-specific policy in place ensures that the plan fiduciaries have worked through the unique concerns and administration of the covered plans.  For example, an employer’s policy may call for the destruction of records after a specified period of years, but that generally is not feasible for a retirement plan that needs to maintain the data that it needs for calculation and proof of payment of benefits indefinitely.  A benefit plan cybersecurity policy should outline the procedures, guidelines, standards, and other measures which will be taken: 1) to prevent a cyberattack in the first place, and 2) to mitigate the consequences should there be a cybersecurity incident.

Since most plans largely rely on vendors to provide the necessary administrative support for plan operations and provide those vendors with a large amount of sensitive data, an effective cybersecurity policy should specifically address cybersecurity practices with respect to vendors.  For example, the policy may provide for an evaluation of a potential vendor’s cybersecurity practices during the vendor selection process, a requirement that vendor contracts include robust cybersecurity provisions, and an annual review of vendor cybersecurity audits. 

If the cybersecurity policy covers health plans that are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the plan fiduciary should keep in mind that HIPAA imposes certain requirements with respect to the privacy and security of those plans’ HIPAA protected health information (“PHI”).  Notably, HIPAA requires these plans to maintain privacy and security policies and procedures in place with respect to PHI.  A benefit plan cybersecurity policy should operate alongside of a health plan’s existing HIPAA policies and procedures, while detailing the policies and procedures which apply to sensitive data that does not fall under the definition of PHI.

At a recent conference, a DOL representative indicated that another important aspect of cybersecurity is the maintenance of cyber liability insurance.  A plan and its fiduciaries may not be able to rely on the employer’s general cyber liability insurance, since many cyber liability insurance policies carve out liability with respect to ERISA plans.  Therefore, plan fiduciaries need to be sure that the employer’s policy does in fact provide adequate coverage, or consider obtaining coverage for the plan specifically.  A cybersecurity policy should address how the plan fiduciary will evaluate its insurance policy to ensure it provides comprehensive coverage and does not contain unfavorable exclusions or inadequate coverage limits. Additionally, the plan’s cyber liability insurance may require the plan to have specified cybersecurity controls in place in order for coverage to be effective, and the plan fiduciary will want to take any applicable requirements into account when establishing or reviewing a cybersecurity policy.

Although plan fiduciaries may not be experts in cybersecurity, they are well versed in the operations and administrative practices with respect to their plans.  By consulting with counsel regarding the procedures, guidelines, and standards needed to create an effective cybersecurity policy, as well as consulting with IT advisors as needed regarding any cybersecurity-specific questions or concerns, plan fiduciaries can help protect participants and beneficiaries from the harm of a successful cyberattack.

If you have any questions regarding this LEGALcurrents, please contact any member of the Employee Benefits and Executive Compensation group at 585.232.6500 or 716.853.1616.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2024 Harter Secrest & Emery LLP