The 2016 ERISA Advisory Council (the Council), a group created to advise the Department of Labor, is gathering on Aug. 23-25, 2016, to study ways to encourage benefit plan sponsors and managers to adopt strategies that minimize the exposure of plan participants’ data from cyber-attack.
The Council’s encouragement of plan sponsors to develop a comprehensive cybersecurity strategy makes sense in light of recent derivative claims made against board members for alleged breaches of fiduciary duty following the recent data security breaches suffered by a large hotel chain and by two major retailers. In those cases, shareholders purportedly suing derivatively alleged that directors and officers had failed to satisfy their duties of care by not preventing and promptly responding to the data breaches. And while such claims have not gained much traction in the courts, to date, there is increasing pressure on fiduciaries to be held accountable for cybersecurity oversight. The ultimate resolution of these pending claims will occur in the midst of a trending view that a cybersecurity compliance program should be at least within the organization’s overall risk mitigation strategy, if not an official component of the fiduciary’s general oversight responsibilities.
In this context, the Council will meet for the third time to undertake an effort to prepare guidance for protecting the personally identifiable information (PII) of ERISA plan participants and beneficiaries. (In 2011, the Council urged the Department of Labor to issue guidance to help fiduciaries secure PII and address the privacy and security of PII for retirement plan sponsors and beneficiaries. And again, in May 2015, the Council conducted a review of cybersecurity issues that included receiving testimony from subject matter experts.)
This year, the Council will focus on an outline of specific cyber risk management strategies for both retirement plans and health and welfare plans in light of the growing similarities and interrelationship between the two. The goal is to provide the Secretary of Labor with a draft of materials that can be offered to plan sponsors so they will have guidance about how to understand, evaluate, and protect benefit plan assets and data from cybersecurity risks.
Here is what the Council is considering in 2016:
- General types of cybersecurity risks that benefit plans are exposed to and how the overall threat environment is evolving;
- Steps, processes, and controls that benefit plans and third party providers are taking to address these risks;
- Differences in the scale of cybersecurity risk between small and large plan sponsors, with the objective of tailoring guidance and education accordingly;
- Resources that will help plan sponsors identify and establish a scalable cyber risk management strategy, including the vendor selection and monitoring process; and,
- Sample tip sheets, checklists, and other educational tools that can be used to provide plan sponsors, vendors, and plan participants with guidance on navigating cybersecurity risks related to their benefit plans.