If you have been reading with us for a while, you know that this isn’t our first post related to cybersecurity. Unfortunately, the prevalence of the writing on cybersecurity is directly tied to the importance and the continual evolution of the topic. This is the second of a two-part post focusing on monitoring of service providers in a digital era. The prior post reviewed the criteria for monitoring service providers and their digital interfaces with participants – focusing on specific criteria to request and review. This post will review action steps for the selection and monitoring of service providers as it relates to cybersecurity protocols.
Fiduciary Responsibility
Nearly all plans have hired at least one service provider to perform third party administration and recordkeeping services for the plan. This service provider likely has critical and sensitive information about participants, including but not limited to name, social security number, date of birth, and account information, among other data. Under ERISA, plan fiduciaries must ensure that plan assets are used solely for the purpose of providing benefits to participants. If a prudent process is not used to safeguard such assets, then the plan fiduciaries may be liable for breach of fiduciary duty.[1] This duty extends to the third parties that are hired to safeguard retirement plan assets as well as the privacy and data of each account holder.
Request from Service Providers
To ensure fiduciary duties are met, plan fiduciaries can take steps during the initial service provider selection process and the ongoing reviews once the service provider is selected. This due diligence process is targeted at two areas: (1) data and access security and (2) misuse of personal information.
Prior to the engagement, consider the following to inquire of a potential service provider:
- Does the service provider have security protocols in place?
- How robust are the security protocols?
- What level of insurance does the service provider have for security breaches?
- What level of liability will the service provider assume in the event of a security breach?
- How many breaches have occurred in the past 24 months? If any, what steps were taken for any of these breaches?
- What data is captured and who has access to the various data? Keep in mind that not all parties at the service provider need access to all data, particularly as it relates to subcontractors of the provider.
- Provide copies of the following: cyber policy, disaster recovery policy, and SOC 2, among other reporting and information.
During the contract negotiation, has the plan ensured that the contract with the service provider will:
- provide for reasonable and regular inspection and monitoring of reports related to cybersecurity
- represent that the service provider will comply with relevant state and federal laws relating to privacy and cybersecurity
- represent that the service provider will maintain a cyber policy at all times
- represent that the service provider will maintain the requisite cyber liability coverage for the duration of the relationship
- limit the use of data and personal information (i.e., no cross selling unless otherwise authorized)
- hold the service provider liable for any security breaches (and potentially provide for indemnification of the plan and plan sponsor as a result of the service provider’s errors related to cyber security)
On an ongoing basis, while working with the service provider, consider the following:
- Periodically request copies of third-party audit reports for the service provider. For example, the SOC 2 report that was initially provided. Keep in mind that over time, a service provider may go from receiving a positive to a receiving negative SOC 2.
- Request that the service provider periodically provide an update as it relates to changes in any prior representations or previously disclosed materials related to cybersecurity; for example, annually provide an updated cyber policy, as these policies are constantly changing.
- Engage in ongoing discussions related to the ever-evolving cybersecurity risks and how the service provider continues to meet these risks.
- Understand the resources that the service provider puts into data privacy and cybersecurity, including people and financial resources.
During each of these phases, document the materials reviewed and analysis of each to demonstrate the prudent review process followed by the plan’s fiduciaries. For more information about how to monitor service providers and their cyber policies in the digital era, contact a Multnomah Group consultant.
Notes:
[1] Drinker Biddle, Cyber Solutions for Plan Sponsors, April 2019.
Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Multnomah Group does not provide legal or tax advice. Any views expressed herein are those of the author(s) and not necessarily those of Multnomah Group or Multnomah Group’s clients.