Cybersecurity and ERISA Retirement Plans: The Financial Consultant’s Role
Cybersecurity is top of mind for many businesses, but have consultants for retirement plans given the area sufficient consideration? After all, there is no explicit cybersecurity duty that applies to consultants under the Employee Retirement Income Security Act of 1974 (“ERISA”). Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fullfilling their fiduciary duties.
ERISA retirement plans hold both monetary assets and non-physical assets in the form of information about the plan and participants. Cyber incidents pose a threat to both. Phishing could result in a criminal obtaining sufficient personal information to obtain a fraudulent plan loan or plan distribution. It could also be that the data itself is the target of the theft, for example, the Social Security number, name, and bank account information used by a retirement plan to pay periodic distribution amounts to a participant.
Common types of cybersecurity threats include phishing, ransomware, malware, and wire fraud. Phishing seeks interaction from a plan fiduciary or participant in order to obtain information. Ransomware will lock a hard drive or server to prevent the owner from using that device until a ransom has been paid. Malware is often introduced onto a device or system to capture keystrokes or perform other malicious activities. Finally, wire fraud has become very sophisticated. Genuine-looking e-mails from business clients or partners will seek a transfer of funds for legitimate-sounding business reasons, only to actually be from an entirely different person or entity. Many times, this can be achieved by altering a trusted email address by a single letter.
2. Fiduciary Duties
ERISA plan fiduciaries owe a duty of loyalty to the plan participants and must act with expert prudence. These duties include acting in a manner to ensure plan assets are used solely for the purpose of providing benefits to plan participants and beneficiaries. To the extent that plan fiduciaries fail to follow a prudent process to safeguard plan assets, both data and monetary assets, those fiduciaries may be liable for a fiduciary breach, should the assets be misused or compromised. Again, there is no comprehensive regulatory scheme under ERISA that covers cybersecurity and no extensive court authority about such protections. However, a main tenet of ERISA is that plan fiduciaries act with the care that other plan fiduciaries use, and more and more plan fiduciaries are taking substantial steps towards improving plan cybersecurity. Falling behind the crowd could prove costly for a fiduciary, even in the absence of specific regulatory requirements.
3. Costs and Consequences
A plan fiduciary can be personally liable for losses due to a fiduciary breach. Therefore, it is important to prevent breaches to the extent possible and to create a recovery and reaction plan to the extent that any breaches occur. To date, the losses sustained in cyber breaches have ranged from several thousand to hundreds of millions of dollars. Costs can include monetary assets actually removed from the plan, recovery and communication costs, business interruptions, reputational risks, ongoing identity protection costs, and more. Some of these costs can be covered by insurance, but it is important that first-party insurance coverage is purchased in order to cover losses based upon a cyber breach, rather than the traditional ERISA fiduciary breach liability insurance that usually only applies after a fiduciary breach claim has been made.
4. Guiding Plan Sponsors
Is a financial consultant expected to become a cybersecurity expert in order to provide guidance to plan sponsors? No. It is not necessary to understand the exact mechanics of cybersecurity defenses in order to guide a plan sponsor. Rather, becoming knowledgeable about industry trends should be the goal. A financial consultant that connects sponsors with recordkeeping platforms or other service providers should be prepared to assist a plan sponsor in performing due diligence. Being conversant in the typical Request For Proposal questions and security representations will be key. Knowing what it means when a recordkeeper represents that it has followed the SPARK best practices with regard to cybersecurity or when a custodian or trustee states that it is participating in the Sheltered Harbor program will help a consultant add value to the client relationship. The SPARK best practices’1 aim is to assist the recordkeeping industry in speaking a common language regarding cybersecurity and set forth various frameworks for creating and evidencing cybersecurity protection processes. The Sheltered Harbor program2 is an industry-lead effort to create data back-ups in a vault that helps a bank restart consumer activities after a cyberattack. By staying up-to-date on industry steps in the data protection area, a financial consultant can flag areas for the plan sponsor client whose main expertise is rarely running a retirement plan, but is building widgets or providing dog-walking services.
In addition, the ERISA Advisory Council created “Employee Benefit Plans: Considerations for Management of Cybersecurity Risks (A Resource for Plan Sponsors and Service Providers).” It is part of a longer report by the Council to the Department of Labor that was published in November 2016: “Cybersecurity Considerations for Benefit Plans.”3
1. The SPARK Institute, “Industry Best Practice Data Security Reporting“, 9/20/17.
3. Advisory Council on Employee Welfare and Pension Benefit Plans, “Cybersecurity Considerations for Benefit Plans“, 11/16.
All investments are subject to market risk, including possible loss of principal. Diversification cannot assure a profit or protect against loss in a declining market.
Opinions expressed are current opinions as of the date appearing in this material only. The information and opinions contained herein are for general information use only. MainStay Investments does not guarantee their accuracy or completeness, nor does MainStay Investments assume any liability for any loss that may result from the reliance by any person upon any such information or opinions. Such information and opinions are subject to change without notice, and are not intended as an offer or solicitation with respect to the purchase or sales of any security or as personalized investment advice. There can be no guarantee that any projection, forecast, or opinion in these materials will be realized. Past performance is no guarantee of future results.
MainStay Investments® is a registered service mark and name under which New York Life Investment Management LLC does business. MainStay Investments, an indirect subsidiary of New York Life Insurance Company, New York, NY 10010, provides investment advisory products and services. The MainStay Funds® are managed by New York Life Investment Management LLC and distributed by NYLIFE Distributors LLC, 30 Hudson Street, Jersey City, NJ 07302, a wholly owned subsidiary of New York Life Insurance Company. NYLIFE Distributors LLC is a Member FINRA/SIPC.
Prepared for an Institutional Audience.