February 28, 2017
The 2016 ERISA Advisory Council studied cybersecurity in depth, focusing on strategies benefit plans can use to manage cyber risk. Following a series of hearings and review of written material, the council prepared Cybersecurity Considerations for Benefit Plans, a report for the Department of Labor (DOL). An appendix to the report is a resource for plan sponsors and service providers, “Employee Benefit Plans: Considerations for Managing Cybersecurity Risks,” that begins by stating, “Cyber threats, including losses due to compromised data and assets, are a daily headline. No individual, organization or industry is immune from cyber threats, including benefit plans and service providers. … Cyber threats cannot be eliminated but they can be managed.” The document also notes:
It is critical for plan sponsors, administrators and service providers to have a strategy to:
(1) manage data and assets with the objective of minimizing exposure to the cyber threats that exist now and that will develop in the future, and
(2) respond and recover should a breach occur.
How the DOL will use these guidelines is unknown but the ERISA Advisory Council’s general tone is clear: cyber risk is a real and growing threat that cannot be ignored. The council recommends a cyber risk management strategy and consideration/evaluation of cyber liability insurance. Segal Select Insurance concurs.
Noteworthy excerpts from the 40-page report and the considerations document (under headings added by Segal Select) follow.
“Cybersecurity threat prevention is impossible, but an effort must be made to limit the threat, which requires implementing security protocols.”
“[A]ll parties involved in the administration and management of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event.”
“Every plan is different and cybersecurity risk management is a process, not a product.”
“Critical actions and decisions can be anticipated. ... You should be PREPARED.”
“All plan sponsors and their service providers should consider a framework upon which to base a cybersecurity risk management strategy.”
“The risk management strategy should be dynamic and adaptive to the particular situation of the plan, plan sponsor and its service providers, as well as the continually changing cybersecurity landscape.”
“Benefit plan cyber risk management strategies need to be customized and must be dynamic.”
“Plan sponsors may wish to seek the guidance of ERISA legal counsel along with cybersecurity experts.”
“Plan sponsors and fiduciaries should understand what cyber insurance does and does not provide and how it coordinates with other types of insurance coverage, so that they can appropriately consider whether to incorporate cyber insurance into their cyber risk management strategy.”
Segal Select can help plan sponsors obtain cyber liability insurance. For more information, contact Diane McNally.
Segal Consulting, another member of The Segal Group, offers other services related to cybersecurity, such as HIPAA/HITECH privacy and security risk assessments and policies.