Cybersecurity for Employee Benefit Plans

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
November 16, 2022

The United States is experiencing waves of new cybersecurity regulations. Because cybercrime consistently grows in sophistication, cybersecurity must become a significant concern for all businesses and individuals. Employee benefit plans are no exception.

Employee benefit plans are high value targets. Plans hold liquid assets and possess troves of personally and financial information about participants, sponsors, and the plans themselves. According to Department of Labor estimates, about 106 million individuals contribute to over 34 million different private pension plans, which hold over $9.3 trillion of assets. These plans includes multiple interconnected entities – such as plan sponsors, various fiduciaries, and record keepers – that regularly and necessarily exchange personal and financial information about participants and the plans, presenting prime opportunities for hacking. In light of the amount of assets and information held by these entities, even a single limited attack can be devastating.

The Department of Labor has responded by implementing guidelines for this industry. The guidelines have three components: (1) cybersecurity best practices for plans; (2) safeguards for hiring service providers; and (3) online protections for participants.

Cybersecurity Best Practices. DoL regulations list twelve cybersecurity best practices. They include implementing a formal, robust, and well-documented cybersecurity program with clear written policies; conducting annual risk assessments to identify threats, including hiring an independent third-party to assess the plan’s cybersecurity controls; regular cybersecurity awareness training, testing, and retraining when appropriate; encryption of sensitive information both in motion and at rest; and implementing the panoply of currently available technological safeguards needed to protect against sophisticated cyberattacks.

Hiring Service Providers. Since assets and information are only as secure as the weakest link in the chain, the DoL regulations outline the steps for plans to vet service providers. Those steps include scrutinizing the provider’s cybersecurity standards, practices, policies and audit results; inspecting the provider’s history, including any past incidents and breaches; reviewing the provider’s cybersecurity insurance policies and ensuring that those policies cover the plan in the event of breach; ensuring that contracts with providers ensure that plan assets and information are appropriately protected and that liability is appropriately allocated between the parties.

Online Protections. Individuals are often unable to, or just do not, properly protect their online activities. As a result, the DoL guidelines list a series of safeguards for plans to implement to protect their participants against online threats, including requiring truly unique and strong passwords; mandating the use of multi-factor authentication to access the participant’s plan information and assets; and internal controls for any changes made to a participant’s profile or account information, and for initiating and authorizing certain financial transactions. In addition, the DoL guidelines identify safeguards for individuals to implement to protect themselves, such as hardening home Wi-Fi networks through the use of residential firewalls and virtual private network applications, and using advanced threat detection on personal computers.

Cybercriminals are constantly looking for new and valuable targets. The wealth of information and liquid assets held by employee benefits plans presents such an opportunity. As a result, the businesses involved with these plans – including sponsors, fiduciaries, and record keepers – as well as individual participants all need to act promptly to comply with the DoL regulations, and protect themselves from becoming a victim of a devastating cyberattack.