Sponsors Should Have a Plan in the Event of a Cyberattack

Sponsors Should Have a Plan in the Event of a Cyberattack

Posted March 22, 2021

Sponsors Should Have a Plan in the Event of a Cyberattack

  • While the Department of Labor (DOL) hasn’t issued formal guidance on the responsibilities of retirement plan sponsors to protect against cybersecurity threats, there are commonsensical protections plan sponsors can put in place nonetheless, according to Employee Retirement Income Security Act (ERISA) attorneys.
  • Any party that could be impacted by a cybersecurity breach must have an incident response plan.
  • Should a breach actually occur, the plan sponsor “needs to find out which participants were impacted, which data elements were compromised, when the breach occurred and what steps have or will be taken to mitigate the impact of the breach.
  • The sponsor should determine if any of the company’s insurance policies cover cybersecurity breaches, and, if so, the next step is notifying these insurers that a breach has occurred.
  • Sponsors need to invest in cybersecurity protections and nurture a culture of privacy and security—from the mailroom to the boardroom. They need to hire qualified IT [information technology] staff, use the most up-to-date security software, train employees to recognize the telltale signs of phishing and other suspicious behavior, have a robust cyber-incident insurance policy in place and use secure methods to transmit sensitive information and data. Finally, they need to vet and continuously monitor their vendors.

– Lee Barney | March 22, 2021