“Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.”
The above admonition appears in the November 2016 report to the Secretary of Labor recently released by the Advisory Council on Employee Welfare and Benefit Plans (the Council) entitled “Cybersecurity Considerations for Benefit Plans” (the Report). The Council was established under the Employee Retirement Income Security Act of 1974 (ERISA) to advise the secretary on issues related to employee benefit plans. ERISA, which was designed to be a comprehensive federal law regulating benefit plans, gives the Department of Labor (the DOL) enforcement authority over various matters involving plans, including the responsibilities of plan fiduciaries.
The Report notes that while cybersecurity is a focus area for organizations as to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning. Given that plans maintain and share sensitive employee data and asset information across multiple unrelated entities on a regular basis as part of the plan administration process, the Report indicates that such data and asset information should be specifically considered when implementing cybersecurity risk management measures.
Report’s Objective and Recommendations
The Council’s objective in producing the Report was to provide relevant information to, and raise awareness with, plan sponsors, fiduciaries and service providers regarding the development of cybersecurity risk management programs for benefit plans.
During 2016, the Council studied benefit plan cybersecurity, receiving oral and written testimony from experts and interested parties. Based on this testimony and the Council’s own research, the Report provides two recommendations:
- Make the Report and its appendices available via the DOL website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with information on developing and maintaining a robust cyber risk management program for benefit plans; and
- Provide information to the members of the employee benefit plan community to educate them on cybersecurity risks and potential approaches for managing these risks.
In connection with the second recommendation, the Report includes as Appendix A a sample document designed to be a resource for plan sponsors and service providers as to considerations for managing cybersecurity risks.
Unfortunately, the Report does not address two major concerns of plan administrators. According to the Report, the Council is aware that ambiguities and potential issues remain as to:
- Whether cybersecurity is a fiduciary responsibility; and
- Whether state cyber laws are preempted by ERISA.
However, the Report notes, the Council has determined that providing guidance on these topics is beyond the scope of its study.
Fiduciary Duty: If courts should hold that fiduciaries are required under ERISA to safeguard benefit plan data (the statute is silent on the matter), the implications are enormous. ERISA provides that any fiduciary as to a plan “who breaches any of the responsibilities, obligations, or duties imposed upon fiduciaries by [Title I of ERISA] shall be personally liable to make good to such plan any losses to the plan resulting from each such breach.” Under ERISA, various persons, including plan participants, can bring suit for “appropriate relief” in connection with a breach of fiduciary duty. A representative of one prominent company that assists thousands of businesses in managing employee benefit programs has told us that it views the safeguarding of participant data as a contractual matter rather than an ERISA matter.
Preemption: ERISA provides, with certain exceptions, that it “shall supersede [i.e., preempt] any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” State-law preemption is bedrock principle of ERISA. If courts should conclude that state laws on data breaches do not “relate” to benefit plans, and are therefore not preempted by ERISA, the determination of which state law or laws apply to a data breach involving a plan having participants in multiple states would be a daunting task for its administrator, given that these laws are far from uniform as to the duties they impose.
Existing Cybersecurity Frameworks
The Report reviews and comments on various cybersecurity frameworks that could provide the foundation for cybersecurity strategies for benefit plans.
The “Framework for Improving Critical Infrastructure Cybersecurity” (NIST Framework)
- The Framework was published in 2014 by the National Institute of Standards and Technology in response to a presidential executive order issued the previous year. As the Council explains in the Report, the NIST Framework is voluntary guideline, targeting organizations that own or operate critical infrastructure; however, the standards, guidelines and practices set out in the Framework are not meant to be a “one-size-fits-all.” Instead, the NIST Framework is intended to complement and not replace an organization’s existing risk management processes. For organizations that do not have cybersecurity programs, the NIST Framework can be used as a reference.
- The three parts of the NIST Framework are (i) a “core” that outlines five concurrent and continuous functions that should occur to form an effective cybersecurity risk management program; (ii) a discussion of four categories for consideration in developing such a program; and (iii) a suggested basic process to follow in establishing such a program
- The 2016 Council utilized the concepts contained in the first part of the NIST Framework to develop Appendix A.
- A draft update of the NIST Framework has recently been released.
- Congress enacted this statute to encourage the use of anti-terrorism products, services and technologies in civilian settings. The SAFETY Act specifically provides risk management protections to firms that develop, sell or deploy these technologies, as well as contractors, subcontractors and consumers downstream. The SAFETY Act’s protections include liability limitations for “claims arising out of, relating to, or resulting from an act of terrorism” where Qualified Anti-Terrorism Technologies (QATTs) have been deployed. The Secretary of the Department of Homeland Security is given broad discretion to designate a technology as a QATT.
- In the Report, the Council expresses mixed views as to the utility of the SAFETY Act for benefit plans, based upon the testimony it received. On the one hand, the Report indicates that plans may want to consider whether SAFETY Act certifications could fit into their overall cybersecurity risk management strategy, such as by retaining vendors that have or use SAFETY Act approved processes or procedures. However, the Council also notes that the cost of compliance with the statute’s standards may outweigh the coverage that the statute provides relative to the cost of cyber insurance coverage.
The Uniform Data Management Standards Now Being Developed for the Defined Contribution Plan Market (Which Includes 401(k) Plans) by the Society of Professional Asset-Managers and Recordkeepers (SPARK).
- SPARK has begun to develop these standards so that service providers can have some basis for comparing their own programs and thereby demonstrate to their client plans that the providers have met a specified benchmark. According to the Report: “[D]efined contribution providers are getting an increasing number of inquiries from clients and intermediaries [lawyers?], each with numerous and varying questions regarding cybersecurity arrangements, which in turn is increasingly taking time and resources away from day-to-day operations. In addition, defined contribution providers expressed concern that complete transparency to outside parties regarding cybersecurity practices could put security arrangements in jeopardy and increase the likelihood of becoming cyber threat targets.”
- The SPARK initiative is still a work in progress. Four core principles have been identified for designing a certification framework and six steps have been proposed for developing such framework.
- HITRUST is a not-for-profit consortium to represent various providers in the healthcare industry, such as pharmacies, pharmacy benefit managers and various manufacturers, as to cybersecurity and to raise the level of security within the industry.
- The CSF integrates and harmonizes various standards, incorporating different state and federal requirements and best practices. The HITRUST “Assurance” program provides a mechanism for accurate and consistent cybersecurity program evaluation and reporting. The CSF in combination with the HITRUST Assurance program comprises the RMF.
- The Report notes that the American Institute of Certified Public Accountants (the AICPA) recognizes the HITRUST CSF as acceptable criteria and established guidance for “SOC 2” reporting, discussed below, because the guidance provides clarity around the risks and appropriate controls. Because HITRUST has worked in partnership with the AICPA, SOC 2 reports using the HITRUST framework result in greater consistency in audit standards across providers/firms and auditors. Consequently, the Report explains, either the HITRUST certification or a SOC 2 using the HITRUST framework can be used in vendor management programs to verify that the firm has appropriate controls to preserve the core principles of security, integrity and privacy.
- An AICPA Service Organization Control (SOC) report prepared by an auditor may provide user management (such as plan fiduciaries) with helpful information about the controls implemented by a service organization (such as third-party recordkeeper) to help management assess and address the risks associated with retaining such an organization. There are two types of SOC reports that may be of use to benefit plans:
- A SOC 1 report is prepared in accordance with the Statement on Standards for Attestation Engagements for reporting on controls relevant to internal control over financial reporting.
- An SOC 2 report is designed to meet user entity requirements beyond that of an SOC 1 report. A SOC 2 report addresses risk of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting.
- The Report indicates that the AICPA Assurance Services Executive Committee has formed the Cybersecurity Working Group to work in collaboration with the Auditing Standards Board to develop a consistent, profession-wide approach to performing and reporting on attestation engagements related to cybersecurity. The working group is (i) designing an examination-level attestation engagement that is intended to meet the needs of a broad range of potential users; (ii) developing suitable criteria for the engagement; and (iii) developing a cybersecurity attestation guide to provide practitioners with guidance on how to perform and report in the cybersecurity examination engagement.
Appendix A — “Employee Benefit Plans: Considerations for Managing Cybersecurity Risks”
This appendix addresses various aspects of cybersecurity for benefit plans. Below is a summary of the Council’s comments and recommendations.
Development of a Cybersecurity Risk Management Strategy
- Benefit plan sponsors may have a cybersecurity strategy for their business needs, but not a separate strategy for their benefit plans. However, because cybersecurity concerns for ERISA plans are unique and differ from business enterprise issues, a strategy for benefit plans should be specifically considered.
- The plan data that must be protected from a breach need to be identified and understood. Among the considerations here are (i) where the data are stored; (ii) who accesses the data; (iii) how the data are accessed; (iv) whether data access properly controlled; (v) what data need to be retained; and (vi) what threats exist
- A cybersecurity framework should be implemented that should (i) describe a process for identifying risks; (ii) develop a program to protect data that could be at risk; (iii) determine how data breaches will be detected; (iv) specify how the plan will respond to a breach; and (iv) detail how the plan will recover from a breach.
- Policies and protocols should be developed that will (i) establish who is responsible for implementing and monitoring the strategy; (ii) determine how often cybersecurity procedures will be tested modified, updated and enhanced; (iii) establish the manner in which regular reports will be made to fiduciaries and memorialized in official records; (iv) provide a schedule for regular cyber risk awareness training and reviews; (v) require background checks and screening of new personnel; (vi) identify procedures for determining users who need access to data and restricting data access on an as-needed basis; (vii) establish strategy for destroying unnecessary data; and (viii) evaluate service provider security programs, including identifying service providers that access data and stating the conditions under which access is given.
- The risk management strategy should be customized to fit the needs of the plan, taking into account (i) the availability of internal and external resources; (ii) whether the plan’s cybersecurity needs can be integrated with the needs of the plan sponsor and related entities; (iii) costs; (iv) cyber insurance; (v) reliance on industry certifications; and (vi) monitoring of new developments.
- The probability of the threat of a breach, the loss exposure and the cost of protective action must be balanced, particularly if plan assets are to be used to bear some or all of the costs of implementing a risk management strategy. A scalable, individualized cyber risk assessment strategy appears to be the prudent starting point.
- A determination should be made of whether and to what extent state-law requirements apply as to breach notification, reporting and penalties.
Observation: The Council appears to be assuming here that ERISA does not preempt these requirements as applied to benefit plans.
Contracting with Service Providers
The appendix suggests that the following questions regarding data protection should be considered in contracting with and evaluating service providers:
- Does the provider have a comprehensive and understandable cybersecurity program? If so, what are its elements?
Observation: For understandable security reasons, a provider is unlikely to provide more than a summary of its program.
- How will the plan data be maintained and protected?
- Will plan data be encrypted “at rest” (i.e., in computer storage, excluding data that is traversing a network or temporarily residing in computer memory to be read or updated), in transit and on devices, and is the encryption automated rather than manual?
- Will the provider assume liability for breaches?
- Will the provider stipulate to permitted uses and restrictions on data use?
- What are the provider’s protocols for notifying plan management in the case of a breach? Are the protocols satisfactory?
- Will the provider agree to regular reports and monitoring and if so, what will they include?
- Does the provider regularly submit to voluntary external reviews of its controls (such as SOC reports or a similar report or certification)?
- What is the level and type of insurance coverage on the provider, including financial and fraud coverage that protects participants from financial damage?
- If the provider subcontracts to others, will the provider insist on protections (as noted above) in its agreement with the subcontractor?
- What controls does the provider have in place over physical assets that store sensitive data, including when such assets are retired or replaced (servers, hard drives, mobile devices, etc.)?
Observation: A provider should also be asked what protocols and procedures are in place as to the physical destruction of plan data, including data in hard-copy form.
- What are the provider’s hiring and training practices (for example, background checks and screening practices and cyber training of personnel)?
- Many insurance carriers now offer cyber insurance policies to augment existing insurance protection. There are two types of coverage, (i) “third-party” coverage, which is triggered by a lawsuit and may include forensic investigations, the cost of legal advice or specialists and the settlement of lawsuits, and the cost of remediation, credit monitoring and credit freezes; and (ii) “first-party” coverage, meaning that the insured does not have to wait for a third party to sue the plan, and instead the plan can trigger coverage upon a breach in order to obtain direct risk management and services such as disaster recovery and response assistance.
- A determination should be made as to what is included and excluded from insurance policies already in place should there be a data breach, and how the coverage compares to the cyber risk assessment, including (i) whether the coverage limits are acceptable; (ii) whether policy terms and conditions of coverage can be satisfied; and (iii) the types of protection needed (such as protection for participants against financial damage in the case of a breach, first party coverage to offer material assistance to respond to and recover from a breach, and coverage of the costs related to required breach notification and the penalties for failure to comply with breach notification laws).
In the Report itself, the Council notes that more than 60 carriers offer stand-alone cyber insurance policies in a market worth over $2 billion in gross written premiums, with the market projected to grow to $75 billion by 2020.
Testimony before the Council indicated that small plans that may not have the resources to develop and implement a cybersecurity risk management plan on their own may find it more cost effective to obtain cyber insurance to assess risks, implement a strategy, provide services in the event of a breach and provide liability coverage to third parties. The Council noted that the underwriting process forces those who seek insurance to maintain a certain level of cyber risk management process to be eligible.
The Report should be carefully considered by benefit plan sponsors and fiduciaries who have not yet realized the risks facing plan data maintained online. In addition, the Report may prompt the DOL to provide guidance as to whether ERISA (i) requires fiduciaries to safeguard plan data; and (ii) preempts state law as to plan data breaches.