Cybersecurity Considerations for Benefit Plans Executive Summary

In November 2016, the Advisory Council on Employee Welfare and Pension Benefit Plans (the “ERISA Advisory Council”) released their report “Cybersecurity Considerations for Benefit Plans.”  This document presents an overview of the key provisions contained within the report.

The ERISA Advisory Council observed that while cybersecurity is a focus area for commercial organizations with regard to ongoing business activities, benefit plans often fall outside the scope of cybersecurity planning.  Benefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities and service providers as a part of the benefit plan administration process.  As a result, plan sponsors and fiduciaries should consider cybersecurity in safeguarding benefit plan data and assets, as well as when making decisions to select or retain a service provider.

As stated in the report, “Cyber threats cannot be eliminated but they can be managed.  Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when.”

It is critical that plans understand the cybersecurity risks and consider establishing a cybersecurity strategy that addresses those risks.  This process includes the following:

  • Understanding sensitive plan data that needs protecting
  • Apply a framework such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to help understand cyber risk, and mitigate the risks accordingly by focusing on five concurrent and continuous functions as follows:
    • Identify – describing a process to identify risks.
    • Protect – developing a program to protect data that could be at risk.
    • Detect – stating how breaches will be detected.
    • Respond – showing how your plan can respond.
    • Recover – detailing how your plan will recover.
  • Develop policies based on the above points that address:
    • Implementation and Monitoring. Establish who is responsible for designing, documenting, implementing and maintaining the strategy.
    • Testing and Updating. Determine how often cybersecurity procedures will be tested (including penetration testing), modified, updated and enhanced.
    • Reporting. Establish the manner that reports will be produced and recorded in the official records.
    • Training. Provide a plan for regular cyber risk awareness training and reviews.
    • Hiring Practices. Require background checks and screening of new personnel.
    • Controlling Access. Identify procedures for determining users who need access to data and restricting data access on an as-needed basis.
    • Data Retention and Destruction. Establish strategy data retention and destruction to reduce cyber risks.
    • Third-party Risk Management. Evaluate service provider security programs, including identifying service providers that access data and stating the conditions under which access is given.

Although action is required, it is important to develop a plan that balances the probability of the threat, the loss exposure, and the cost of protective action.  The use of cyber liability insurance can be part of the plan, but due to most plans’ coverage limitations, cannot be the only option employed. Buchbinder provides cybersecurity services to a variety of organizations. For more information, please contact Michael Pinna at

Join Our Newsletter

Sign up to receive exclusive newsletters with the latest information affecting you and your organization.

Posted in