Defined contribution consultant Ben Taylor recently spoke about cybersecurity at Pensions & Investments West Coast Defined Contribution Conference in San Diego, specifically on how to define a breach. Watch Ben’s description here (subscription required).
In addition, Jana Steele and Ben have collaborated on a paper on the topic of cybersecurity, which addressed a wide range of issues related to how DC plan sponsors should prepare for the almost inevitable threat of a cyberattack on employee data.
In their paper, Jana and Ben said that one of the most difficult challenges for plan sponsors is determining where to start to defend against increasingly sophisticated cyberattacks.
To begin the process, plan sponsors should address the following questions:
- What is their internal risk?
- Where does their employees’ personal data go and how is it transmitted and stored (e.g., to third parties, or maintained on a server or in the cloud)?
- Have they conducted appropriate due diligence on their vendors, and the partners that those vendors may share data with?
- How does the organization define a “breach”?
- How do their vendors define a “breach,” and what triggers disclosure?
- How do they monitor their internal processes and procedures and their external partners on an ongoing basis?
- Do contracts and agreements cover indemnification, notification procedures (i.e., does the vendor have to notify the sponsor when it discovers a breach, or only after the breach has been contained), and remediation?
- What is the sponsors and vendors’ process for when they experience a breach?
Callan recommends plan sponsors then take these steps to address their cybersecurity vulnerabilities and prepare for an inevitable attack:
- Explore the appropriate options for a cybersecurity framework—which provides guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyberattacks—and make an informed choice for the organization
- Implement solutions, guidelines, and protocols for that cybersecurity framework
- Review the cyber protections in place at the organization’s vendors, and their vendors that may have access to plan participants’ personally identifiable information
- Consider how data protection is covered in contracting, specifically assessing the indemnification, notification, and remedies outlined in the agreements
- Take inventory of what is covered or not covered by any cyberinsurance policy the organization has in force or is considering.