A computer with a lock
Property Casualty

The Impact New Cybersecurity Guidance Could Have on Your Retirement Plans

Miles Weis
Miles Weis
AVP, Executive Risk and Cyber Practice Leader

The year 2021 has brought with it a whole new level of cybersecurity risks. With the rise in ransomware and increased activity from ransomware-as-a-service (RaaS) groups, we are facing cyber threats that business leaders of the past could have never imagined.

Recent data shows the average ransomware payment is $136,576, and businesses suffer a downtime on average of 23 days. These exposures continue to grow with the evolution of the threat landscape, and regulators are taking notice of the exposure and potential impacts it has on businesses and our citizens. This leads us to a topic everyone should be interested in.

Cyber Crime and Retirement Accounts

Many of us take our retirement accounts for granted. We do our part by contributing our portions of our compensation to the plans and managing the accounts so that one day we can retire comfortably.

What many of us don’t realize is that behind the scenes, your employers have heightened responsibilities due to the plans being overseen by the Employee Retirement and Income Security Act of 1974 (ERISA).

ERISA, which is governed by the Department of Labor (DOL), casts many duties upon plan sponsors and those that are deemed to be fiduciaries within the law. Our expectations as participants are that plan sponsors and fiduciaries are doing what they are supposed to be doing to ensure our retirement benefits will be there when we expect them (and need them).

New Cybersecurity Guidance for Retirement Plans

With the increase in ransomware, data privacy, and information security activity, the Employee Benefits Security Administration (EBSA) of the DOL issued its first-ever guidance on cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants in April of 2021.

The DOL believes that without sufficient protections, plan participants and plan assets could be at risk from cybersecurity threats.

Along with the guidance, the DOL provided best practices for prudently selecting service providers, managing cybersecurity risks, and online security tips. Already this year, DOL investigators have been active in seeking cybersecurity information from plan sponsors.

The Impact on You

So, what does this mean for you as a plan sponsor or fiduciary? Three things.

You must understand the risk your organization and benefit plans face.  How are you protecting your systems and data? What measures are being taken to ensure they are secure? How much data do you maintain or process? Are your 3rd party providers protecting its data adequately?

Take this threat seriously. According to ERISA, you have a duty of care to take appropriate precautions to mitigate these risks. If you breach this duty, you may be held personally liable for your actions (or inaction).

You need to be proactive in managing these risks. ERISA is a procedural law, and thus, you must ensure your decision-making regarding your cybersecurity program is well thought out and well documented.

Work with Risk Experts Who Can Help

Different businesses have varying levels of risk and not all require that you spend millions of dollars on your information security budget.

What is required is that you adequately consider threats and design security solutions to best mitigate those risks. If you cannot handle it with internal resources, you should seek qualified professionals to help.

EBSA has already begun incorporating cybersecurity questions into its audit process, so you’ll want to be prepared.

Additionally, if you’re not talking about cybersecurity as part of your Board or plan committees, you should be. Being proactive and putting in the work upfront can help save your organization significant amounts of money, time, and loss of reputation when a cybersecurity event occurs.

Here at Holmes Murphy, we are constantly thinking ahead to help advise our clients on managing these ever-changing risks. Our team of executive risk and ESOP experts can help you manage these exposures and develop plans to minimize disruption in the event that a cybersecurity matter takes place. All you have to do is reach out, and we’re happy to help!

Explore more from Holmes Murphy