The threat of cybersecurity is nothing new these days. However, the threat continues to promulgate itself into more and more aspects of our daily life. From GPS systems to automobile computer systems to social media platforms, cybersecurity threats are continuing to evolve and will continue to inflict harm on the unprepared. And, employee benefit plans are no exception.
The fact that employee benefit plans, by their very nature, deal with Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) automatically amplifies the vulnerability of these arrangements to would-be thieves. As a response to this growing threat, the ERISA Advisory Council published a resource describing this vulnerability titled “Employee Benefit Plans: Considerations for Managing Cybersecurity Risks”. Below, we will highlight a few of the suggestions made therein and what you can be aware of as a Plan Sponsor.
- Plan Data
- As mentioned above, PII and PHI are especially critical pieces of data which need to be protected by any cybersecurity strategy. Consider who holds this data (such as Third Party Administrators, internal data servers, claims processing service providers, etc.), including who has access to modules containing this data. Any cybersecurity or information technology strategy that your organization maintains should also extend to data accessed by and shared with those outside your organization.
- Responsibility – Internal and External
- Establish a written policy assigning responsibility for monitoring adherence to the policy, including safeguards at the individual level such as password maintenance, sensitive document security, and segregation of duties.
- Also, be sure to understand how your service providers who access PII and PHI are ensuring the safety and security of this information. What, if any, liability do they assume for breaches? What external reviews of their controls exist and what cybersecurity concerns are addressed?
- Risk Transfer
- Review your insurance to ensure that your coverage is appropriate. Be sure to consider any applicable coverage limits when discussing these with your commercial insurance provider.
For additional information, please contact Brian Dunfee or your relationship person at Meaden & Moore, Ltd.