Managing an employee benefit plan is a challenging task that often requires the services of third-party providers. For many, this may include investment advisors, Third Party Administrators (TPA), plan custodians, and recordkeeping. While they all serve different functions they also have one thing in common – access to the personally identifiable information (PII) of plan participants. Data such as name, address, Social Security numbers, driver’s license number, and bank account details can be used by cybercriminals to target plan participants. Given there were over 1,000 reported cases of data breaches reported in 2020, plan sponsors need to ensure selected providers have robust cybersecurity protections in place to safeguard sensitive data. For this reason, the Department of Labor recently published guidance on tips for hiring service providers with strong cybersecurity practices. To help clients, prospects, and others, Calvetti Ferguson has provided a summary of the key points below.
Key Cybersecurity Considerations:
Information Security Standards
When evaluating providers, it is important to ask about the information security standards, practices, and policies, and for any audit results. When possible, work with those who adhere to a recognized standard for information security and use an outside auditor to review and test existing measures. It is difficult to trust the effectiveness of controls that are not regularly and validated by regular audit reports. Regular reviews of information security, system availability, processing integrity and data confidentiality must be conducted.
It is important to also understand how a provider validates practices and what levels of security standards have been implemented. In this regard, it is important to include in any contract that the plan has a right to review audit results related to standards compliance.
Verify the provider has the necessary insurance policies to protect against losses caused by a data breach. It is important the policy not only covers the obvious external threats, but also those arising from employee or contractor activities. If the proper insurance coverage has not been obtained, then consider making it a requirement of doing business.
It is important to have detailed discussions about whether the provider has previously experienced a data breach. If so, it is important to find out what was the cause, what data was impacted, when were victim organizations notified, and the steps taken to respond and bolster protection.
Essential Contract Provisions
Ensure that any contract includes an ongoing standards compliance requirement. Be sure to avoid those that have limitations around the provider’s responsibility for data breaches. When reviewing contracts be sure the following are included:
- Information Security Reporting – There should be a clause that requires an annual third-party audit to ensure compliance with relevant standards.
- Breach Notification – There should also be information on how quickly the plan will be notified in the event of a cyber incident or data breach. In addition, there should be a requirement that outlines the provider’s cooperation to investigate and remedy the identified causes.
- Data Sharing & Confidentiality – Clear language should be included that spells out the provider’s obligation to ensure data confidentiality and to prevent the use or disclosure of information without prior written permission. Details on how the provider will protect confidential information from unauthorized access, loss, disclosure, modification, or misuse should be identified.
- Insurance – As mentioned above, the plan may want to require specific insurance coverage such as professional liability, errors and omissions, cyber liability, privacy breach insurance, and blanket crime coverage.
Taking reasonable steps to ensure cybersecurity and data protection measures are in place with providers is essential to ensuring the integrity of plan data. If you have questions about the information outlined above or need assistance with your upcoming benefit plan audit, Calvetti Ferguson can help.