Hiring a Service Provider with Strong Cybersecurity Practices

Under ERISA, retirement plan fiduciaries can be held liable for cyber crime impacting participant data and assets, even when the fault lies with a service provider. New guidance suggests how advisors like you can protect yourself.

New Guidance for Fiduciaries Issued

High rates of cyber crime continue to affect businesses large and small. But for advisors, the risk is even greater. Fiduciaries are held to a higher standard of care, with a legal obligation to protect participant assets and data from digital risks by employing robust cyber security practices.

However, your fiduciary duty also extends to the service providers with which you do business. Advisors can face liability if a service provider experiences a cyber security incident that exposes participant data or results in the theft of participant assets.

Due to these added risks, hiring a service provider with strong cyber security practices is a must. Recently, the Department of Labor announced new cyber security guidance for plan sponsors, plan fiduciaries, record-keepers and plan participants.

The Department of Labor’s new guidance is the first of its kind, and while it does not yet have the weight of regulatory authority, it does provide insight into the government’s expectations for robust cyber security protection.

Follow these tips for better protection of your plan participants’ data and assets.

Tips for Hiring Service Providers

The new guidance directs fiduciaries to use service providers that follow strong cyber security practices to help protect an estimated 34 million defined benefit plan participants and 106 million defined contribution plan participants with an estimated $9.3 trillion in assets.

Advice for hiring a service provider centers around 6 key best practices:

1. Ask about information security standards, practices and policies and compare them to the standards adopted by other financial institutions. Look for service providers that follow recognized standards and engage a third-party auditor for annual reviews and validation of their cyber security.
2. Ask how the service provider’s security is validated and what level of standards are met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
3. Evaluate the service provider’s track record in the industry, including public information about any security incidents, other litigation or legal proceedings related to the vendor’s services.
4. Ask the service provider about any past security breaches, and, if so, what happened and how the service provider responded.
5. Find out what insurance coverage the service provider has to protect against cyber security-related losses and data breaches. Pay attention to both internal threats such as contractor or employee misconduct as well as external threats such as third-party hacking and theft.
6. Make sure your contract with a service provider requires compliance of all cyber security and information security standards and includes contract terms that:
   • Do not limit the service provider’s responsibility for data security breaches.
   • Require the service provider to obtain an annual third-party audit of its compliance with standards.
   • Obligate the service provider to protect confidential information and limit the use and sharing of data.
   • Provide for prompt notification and cooperation in the event of a cyber breach.
   • Require compliance with all applicable privacy, security and data retention laws.
   • Stipulate that the service provider maintains necessary professional liability and cyber liability insurance coverage.

Coverage for Your Protection

It’s important to remember that a service provider’s own risk mitigation strategies and insurance protection aren’t enough to fully protect you and your business from cyber security dangers. In any claim or suit, all plan fiduciaries can expect to defend their cyber security practices, so obtaining your own cyber liability coverage is a must.

Lockton Affinity E&O with Cyber Liability Insurance offers broad coverage that meets ERISA standards, including services as an ERISA 3(21) and 3(38) advisor, plus cyber protection with a limit of $250,000 and a $100,000 sublimit for legal and forensic expense. With Lockton Affinity you also receive coverage with individual policy limits, competitive pricing and best-in-class service.

Cyber security risks remain a top threat to plan fiduciaries, even when you do you due diligence and work with the best service providers. Ensure you are protected by obtaining the necessary levels of insurance protection for your business.