2022 Cybersecurity Issues and Recommendations for ERISA Plan Trustees | Coie Perkins

New cybersecurity developments and observations, including those related to the U.S. Department of Labor’s (DOL) review of cybersecurity issues, warrant prompt consideration by plan sponsors and other benefit plan fiduciaries. submitted to ERISA.

In our April 2021 Update, we reported on the DOL’s long-awaited cybersecurity guidelines, applicable to both pensions and health and welfare. Although group health plan sponsors are familiar with similar cybersecurity requirements imposed by HIPAA, the DOL’s cybersecurity guidance (in the form of “best practices” and “tips”) raises new considerations for pension plans as well as welfare plans. These considerations are in addition to the HIPAA data security requirements applicable to group health plans. Plan sponsors and trustees should be mindful of the following concerns:

  1. The DOL standard document request list for benefit plan reviews now includes a cybersecurity policy request. It seems unlikely that a plan will receive a closure letter from the DOL without producing an existing policy or adopting a new cybersecurity policy. This has been our experience to date, although plan sponsors and trustees may consider the DOL’s cybersecurity guidelines to be presented as an agency recommendation on best practices and a cybersecurity policy is not is not required by ERISA.

    Recommendation: Consider adopting a cybersecurity policy applicable to all employee benefit plans subject to ERISA (i.e. under the jurisdiction of the DOL investigative authority). This cybersecurity policy may take the form of a stand-alone policy document specific to ERISA benefit plans or it may be addressed within existing corporate cybersecurity policies (noting that revision may be required to fully meet the guidelines DOL Cybersecurity).

  2. Employee benefit plans are increasingly the target of cyberattacks. Benefit plans are increasingly seen as lucrative targets for cybercriminals, given the nearly $9.3 trillion in plan assets held in system-wide and treasury retirement accounts member data maintained in online databases by plan sponsors, plan trustees, third-party administrators and archivists. for all types of diets. In addition, increased electronic access to benefits portals by participants using internet-connected devices, including cellphones, laptops and tablets, which experience an average of 5,200 cyberattacks per month, allows bad actors easier access to these benefit plan systems. Because it’s not a question of if, but when, a benefits plan will experience a cyberattack, plan sponsors and trustees must be motivated to act quickly to implement DOL guidance, even if they are presented as best practices.

    Recommendation: Consider initiating a cybersecurity review and ongoing testing program to monitor their information and administrative systems and quickly address deficiencies that could lead to a cybersecurity breach if left unaddressed.

  3. Existing service agreements with providers may not sufficiently protect plan sponsors from the risk of cybersecurity issues. Given the timeliness of DOL cybersecurity guidance, it is likely that many of the provider service agreements that plan sponsors enter into with respect to their employee benefit plans do not adequately protect sponsors from DOL-specific cybersecurity risks. With the exception of agreements specifically involving HIPAA and specifically addressing cybersecurity issues in related business associate agreements, vendor services agreements that do not specifically obligate vendors to comply with DOL cybersecurity guidelines may limit the liability and indemnification provisions, or breach of contract claims, contained in the agreements in the event of a cybersecurity breach. Additionally, since vendor service agreements often provide for special and/or consequential damages, a general representation of legal compliance may not serve as a hook for compensation purposes in the event of a cybersecurity breach, as Breach damages are often considered special and/or consequential.

    Recommendation: Consider reviewing existing service agreements with vendors and renegotiating the terms of those agreements to include cybersecurity statements and other terms (with specific reference to DOL cybersecurity guidelines) or, if preferred to wait until a next renewal, negotiate the addition of a data privacy and security covenant until appropriate cybersecurity terms can be incorporated into the main agreement as part of renewal negotiations.

  4. Existing cybersecurity liability insurance policies may not cover breaches involving employee benefit plans. Plan sponsors often purchase either standalone cybersecurity liability insurance policies or riders to broader commercial liability coverage. However, policies that list the plan sponsor as the insured party may not cover cybersecurity breaches affecting employee benefit plans or plan trustees, even if the plan sponsor is financially responsible for the related damages. Additionally, cybersecurity liability insurers may have another argument against covering damages resulting from a breach if the plan sponsor or fiduciary has not implemented adequate controls and safeguards to protect benefits plan assets and participant data from common cybersecurity threats, or failed to act as required. tabletop exercises to ensure that these safeguards are adequate.

    Recommendation: Consider reviewing existing cybersecurity liability insurance policies to confirm whether their benefit plans and trustees, in addition to plan sponsors, would be covered in the event of a breach, and review the compliance requirements of fonts. If not, we recommend that plan sponsors consider purchasing appropriate additional cybersecurity liability coverage.

The above recommendations are general considerations for plan sponsors and trustees, which will need to be balanced against existing cybersecurity protection programs and measures to arrive at appropriate responses. While strategy varies, it is important that plan sponsors and trustees assess and appropriately respond to DOL cybersecurity guidelines and related issues proactively and not wait for applicable ERISA benefit plans to fall victim. of a cybersecurity breach or are subject to DOL review.

[View source.]

Comments are closed.