The assets and sensitive data in employee benefit plans are prime targets for cyber-attackers, who hack into accounts to steal funds and sensitive personal data. In some cases, plan participants have lost their life savings.
The Department of Labor (DOL) and plaintiffs’ lawyers have taken notice. Increasingly, plan participants sue the plan sponsor (employer) for breaching its fiduciary duty when plan data or assets are hacked. The DOL now takes the position that employers have a fiduciary duty to ensure adequate cybersecurity, including for plan data and assets held by service providers. In the more than 1,000 ERISA audits that the DOL conducts annually, cybersecurity questions have become routine. The DOL also has issued detailed guidance on vetting benefits service providers for cybersecurity risks, cybersecurity provisions in benefits service agreements, and developing an internal cybersecurity program.
The Cybersecurity Suite for Employee Benefit Plans contains a (1) Vendor Cybersecurity Questionnaire, (2) Vendor Cybersecurity Addendum, and (3) Plan Sponsor Cybersecurity Assessment. These documents are drafted in light of DOL guidance and industry cybersecurity standards.
- The Vendor Cybersecurity Questionnaire contains questions to vet the cybersecurity safeguards of vendors that would handle plan data or plan assets.
- The Vendor Cybersecurity Addendum is intended as an addendum to the vendor agreement and covers provisions on cybersecurity to reduce risks to the employer from a vendor’s breach of plan assets or data.
- The Plan Sponsor Cybersecurity Assessment includes questions for employers to evaluate their own cybersecurity protections for plan data. Please note that the Plan Sponsor Cybersecurity Assessment may be most useful when used with legal counsel under attorney-client privilege to evaluate responses, assess gaps, and develop policies and procedures to address any gaps.
Contact
