Plan trustees and their service providers have likely already heard of DOL’s cybersecurity guidelines. The Department of Labor’s move into cybersecurity in this way – a posting of best practices on the agency’s website – left the plan trustees with some questions. Here are a few:
- “When does it take effect?”
- “Does that apply to me?”
- “Can I be held liable if a service provider has a data breach?”
- “We are halfway through the term of our service contract with our record holder, do we have to do something now?”
- “That’s IT’s problem, right?”
- “What exactly do we have to do to be ‘careful’?”
- “Do we have to tell the plan participants something?”
- “If our service provider had a data breach, do we need to end the relationship?” “What factors should we consider in making this decision?”
So what do plan trustees actually think? Fortunately, we were able to obtain excerpts from discussions between plan trustees that can provide an insight into this question. This is our first edition, and of course we’ve redacted the text to protect people’s privacy.
Chairman of the Pension Committee: What do you think of your first meeting of the Pension Committee?
New committee member: Well, it sounds like this is going to be really interesting … however, I’m a little nervous about the personal responsibility part and I’m not a great technician. I keep hearing about these violations on the news, ransomware, you know, and I was one of the people on the gas pipeline about the Colonial Pipeline incident.
Chairman of the Pension Committee: I know what you mean. During the time we were out of the office because of COVID, I wouldn’t have been able to take part in conference calls without my 13-year-old! But I think we have a good team and good processes. Trustee training is coming up and I think they will cover that.
New committee member: Yeah, that’ll be fine. I’m not sure I know all of the service providers we have for the plans. We talked a lot about the record holder of the 401 (k) plan tonight, are there any others?
Chairman of the Pension Committee: That’s a good question. We will definitely need to identify all of our service providers, especially those who process plan data. I know we have an accountant and then there’s our investment advisory firm …
New committee member (interrupting): … and what about the provider of financial wellness?
Chairman of the Pension Committee: Yes, you too. Well, we should probably regroup and develop a plan after training. I have to run until next week.
New committee member: OK Bye.
It looks like this organization is serious about its retirement plan administration and has some thoughtful people on the team. Pension committees are generally not required under ERISA, but they can be a valuable tool in organizing the administrative responsibilities of a pension plan.
Educating yourself about cybersecurity is a good first step for a committee or plan trustee in general. Done correctly, the training will help trustees better understand the threats and vulnerabilities of data in general (not just those of criminal hackers) and gain more insight into DOL best practices. Such training can also help plan trustees (and employees at virtually all levels of plan administration) learn more about the ways in which data can be accessed or transferred as a plan is executed. Looking at plan operations from this perspective, where data is stored and how it moves, can help plan trustees identify the service providers to think about.
Perhaps the most important nugget from the above exchange to address the DOL guidelines comes from the Chairman of the Pension Plans Committee – make a plan!
source https://collegeeducationnewsllc.com/musings-of-retirement-plan-fiduciaries-on-cybersecurity-episode-one-jackson-lewis-p-c/
No comments:
Post a Comment