Most employers are generally aware of their fiduciary status as a “plan sponsor” of an ERISA-governed retirement plan (e.g., 401(k) and 403(b) plans). In fact, the employer’s hiring of a service provider is in and of itself a fiduciary function for which the plan sponsor is liable and at risk for any imprudent selection made. Yet despite the media’s focus on the prevalence of cyber-attacks and the Department of Labor’s (DOL) repeated announcements of its concern about cybersecurity as it applies to benefit plans, cybersecurity as part of the selection of a third-party administrator (TPA) is often overlooked by plan sponsors.
TPAs have access to sensitive data regarding retirement plan participants (including beneficiaries). The operation and administration of the retirement plan often necessitates the sharing of such data by the TPA to multiple third-parties, such as auditors, actuaries, and trustees. This data often includes names, date of birth, Social Security numbers, plan account balances, bank account information, and wages—among other things. A successful cyber-attack or data breach, therefore, could easily result in the theft of an employee’s identity or retirement plan assets. It is therefore critical that TPAs be able to manage retirement plan data in a safe and secure fashion that minimizes exposure to cyber-attacks.
Although the DOL, which is responsible for enforcing ERISA, has not formally addressed cybersecurity in the ERISA context (although guidance is soon expected), some courts have already considered whether unauthorized disclosures of retirement plan data constitutes a breach of ERISA’s fiduciary duties.
Accordingly, careful plan sponsors undoubtedly will include an assessment of a prospective TPA’s cybersecurity measures in its selection process to ensure the service agreement adequately addresses responsibility and liability with respect to data privacy and cybersecurity, and require regular updates from the selected TPA on data breaches and cybersecurity incidents.