Written by Kristina Kananen
Gone are the days of firing up the laptop, getting licensing and starting a retirement plan service provider business. Due to the activities of nefarious people, these are the days of being on guard against outside forces that would steal the client information entrusted to you and to ensuring your employees (including you) are aware of how to avoid opening your organization to outside criminals. Lest you should think only large companies are the focus of cyberthieves, 60% of all breaches happen to Small to Mid-size businesses. To help you with protecting that data, you will need to hire the aid of experienced and trained consultants to ensure your organization is safe and secure. This is a necessary expense in today’s world. One cybersecurity breach could destroy your organization.
Thanks to the EBSA recently released cybersecurity guidance, all Plan Sponsors/Administrators have been made aware of the kind of cybersecurity that should be put in place by service providers for their qualified retirement plans. This can be viewed as just another burden OR as a solid marketing opportunity.
You need to know what practices Plan Sponsors/Administrators will want you to have in place. Other than reassurance that you are aware of the dangers, of course. Indicators of those practices can be found in EBSA’s “Tips for Hiring a Service Provider with Strong Cybersecurity Practices”. As a fiduciary of the plan, the Plan Sponsor/Administrator is responsible to ensure the plan is maintained for the exclusive benefit of the participants. Ensuring the participants’ identities are safe from theft is an integral part of that responsibility. How can you, as a Service Provider, reassure the Plan Sponsor/Administrator that you have the security of the plan and participant data at heart?
First – Develop a Cybersecurity Program.
As a service provider, EBSA expects that all plan, participant, and plan account records are maintained in a digital ‘Fort Knox’. It is vital that you have a cybersecurity program that clearly states your company rules and regulations as to what employees can do, or not do, as 95% of breaches are caused by human error. Employees trained by IT staff ensures they have an understanding of what not to do and the steps they need to take immediately when they do what they should not have done. Accidents happen, so it is important employees feel safe in reporting issues as soon as they happen to limit any damage. Recent news has proven that any company can be breached, the cybersecurity program should include a contingency plan if your company should experience a breach. For example:
- All users of your systems should know that if they notice something wrong, they should disconnect from the internet by removing the ethernet cable or turning off the Wi-Fi, which they can do while calling IT. If you are using a VOIP system, employees should have a phone number for IT that can be called from their cellphone.
- IT needs to then know who to contact and in what order, and how to further secure the breach to ensure minimum damage.
- Plan Sponsors/Administrators should be notified if their data was breached. A tally of the breaches you prevent might be of interest as part of your annual report to the Plan Sponsors/Administrators.
Second – Have a Risk Assessment Done
A risk assessment is a deep dive into your infrastructure and will identify any holes in security and how vulnerable your company’s infrastructure is to the outside world. Your IT department can do such an assessment for you, but if your IT “department” is part of a squad at the local office supply store, you might want to consider hiring an outside consultant experienced in conducting such a risk assessment. Fortunately, The Information Systems Audit and Control Association (ISACA) was begun in 1969 when the founders recognized that information was like a juicy plum to criminals. This association has many programs for all aspects of cybersecurity and certifies those who perform risk assessments as well as providing continuing education. Once the assessment is completed and all issues have been addressed, then you can brag to your clients about the steps you have taken to ensure the safety of their data.
Third – Have a Third-Party Auditor Audit Your Security Controls.
EBSA suggests that the Plan Sponsor/Administrator ask for the results of the annual audit conducted by a third-party auditor of security controls. This is an auditor who assesses only systems and data, and not financial or tax status. ISACA also certifies Systems Auditors and requires continuing education. Such an auditor must be able to demonstrate their independence, so it is very important that they have no connection to your company, no matter how computer savvy your niece might be or even if she is certified. They conduct an annual audit of your company’s cybersecurity practices and programs to verify information security, processing integrity, data confidentiality and system/data availability. Clients always appreciate receiving information before having to ask for it, so providing a copy of the complete audit report goes a long way in good client relations.
Fourth – Be Prepared to Explain
You should be prepared to explain to the Plan Sponsor/Administrator the security standards you have implemented. The data your company is holding is vital information for plan participants. Risk assessment and auditor professionals, you hire to perform a security review and assessment will provide you with guidance on any issues that can be foreseen as well as acknowledge the security you have in place. Your contract with the Plan Sponsor/Administrator should include provisions to give the Plan Sponsor/Administrator the right to review any audit or assessment reports. It might be difficult to inform a client that there have been security issues in the past, but transparency can go a long way to reassuring the client you are aware and have handled the situations. This is assuming that you have done the due diligence of addressing any and all breaches and attempted breaches. It would be an unusual company in today’s world to not have experienced attempted breaches. Since you will have called in the experts to help you with ensuring the cybersecurity of client data, you should avoid actual breaches and have bragging rights.
Companies that succumbed to cyberattacks are the issue and the focus of the EBSA’s guidance. Plan Sponsors/Administrators have been tasked by ERISA to ensure the plans they sponsor are for the exclusive benefit of the participants. They have been placed on alert to ask about any breaches, litigation and legal proceedings pertaining to your services. Having an accurate explanation of what happened and how your company responded provides not only transparency, but reassurance that you are prepared and have learned from your experiences.
Fifth – Include Cybersecurity Provisions in Your Contract with the Plan Sponsor/Administrator
Contract provisions pertaining to cybersecurity will be of special interest to the Plan Sponsor/Administrator from this point forward. Those provisions should provide that:
- You will obtain an annual audit of your company’s security provisions and procedures and provide a copy to the Plan Sponsor/Administrator;
- There are clear provisions about who can use the plan data, and when and that there is a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse;
- Plan Sponsor/Administrator will be notified as quickly as possible of any cyber incident or data breach and that you agree to investigate and address the cause of the breach;
- You will meet all applicable laws, rules, regulations, directives and government requirements pertaining to the security, privacy and confidentiality of participants’ personal information;
- Errors and omissions liability insurance, cyber liability and privacy breach insurance as well as a fidelity bond or blanket crime coverage bond will be maintained by your company. Be sure you know exactly what it covers and when before announcing to the Plan Sponsor/Administrator that you have obtained the insurance.
EBSA’s cybersecurity guidance provides you with opportunities to communicate with your clients and the data to reassure them that you are doing all you can to ensure the safety of their data. An educated staff, an alert IT department and appropriate third-party advisors will help you ensure the communications are happy communications.
1 – All companies are vulnerable to cyberattacks.
2 – Getting educated, certified help to ensure your company’s cybersecurity is vital.
3 – Think of discussing your company’s cybersecurity with your clients as a marketing opportunity.