To attract and retain the best employees, a 401(k) plan is a must. Operating a 401(k) plan, however, involves many responsibilities, including drafting and maintaining plan documents, communicating with employees, calculating and distributing benefits, and protecting plan assets. Most employers delegate some or all of these responsibilities to third-party administrators (TPAs) who, to perform services, collect and hold sensitive employee information such as addresses, birthdates, compensation data and Social Security numbers.

Yet, with all of this sensitive information changing hands, 401(k) plan cybersecurity is often an afterthought, even at companies that take great care to protect their businesses from cyberthreats. Because there are no cybersecurity rules or standards that directly and specifically address 401(k) plans, it is hard to know where to begin. It is also tempting to assume that TPAs have adequate cybersecurity controls in place. However, there are many reasons employers should spend more time protecting their plans—and there are ways to do so.

Cybersecurity Rules and Standards of General Application

Although no cybersecurity rules directly address 401(k) plans, many state laws require employers to protect personal information and take specific actions in the event of a breach.

[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]

Under these laws, employers are held responsible for TPA noncompliance. It is therefore vital that employers contractually ensure that each TPA is complying with these state laws and that the employer is protected if the TPA breaches these laws.

There is ample inspiration for best practices. For example, under the New York Department of Financial Services' cybersecurity regulation, banks and other financial institutions doing business in New York are required to designate a chief information security officer, create and annually update a robust plan for security breaches, conduct evaluations of security vulnerabilities, and require cybersecurity training. It is reasonable to ask any TPA to meet similar standards.

The Employee Retirement Income Security Act (ERISA) holds employers that sponsor 401(k) plans to a high fiduciary standard of prudence, which incorporates a requirement to carefully choose and monitor TPAs. It is reasonable to infer that the prudence standard requires employers to negotiate their TPA contracts so that participants' savings and personal information are protected from cyberthreats.

Proactive Steps for Plan Sponsors

When hiring a TPA or renewing a TPA service contract, employers should negotiate strong and specific cybersecurity protections into the contract, including the following:

  • The TPA should maintain a comprehensive, written security program that contains administrative, technical and physical safeguards based on accepted industry practices.
  • If any data are lost or stolen under the TPA's watch, the TPA should contact the employer immediately and provide a remediation plan that complies with all federal and state laws relating to data breaches, whether the laws apply to the TPA or to the employer.
  • The TPA should bear all expenses for security breach mitigation and should compensate the employer for any loss or theft of the employer's data.
  • The contract should address transfer, storage, retention and destruction of data.
  • Participant data should be accessible only by the TPA's trained personnel and used only to perform the contracted services.
  • Any subcontractors must be bound by the same standards as the TPA.
  • The TPA should have a robust business continuity and disaster recovery plan covering the employer's data.
  • The employer should reserve rights to audit the TPA's practices.
  • The agreement term should be limited so that the employer can renegotiate cybersecurity provisions as rules evolve and new threats emerge.

Smaller employers generally have limited bargaining power and may have little success negotiating for employer-friendly cybersecurity provisions. That said, employers of all sizes should, at the very least, strive to meet the ERISA prudence standard, including by comparing proposals of several TPAs every few years and making good-faith negotiation attempts.

For most companies, 401(k) plan cybersecurity is not a priority. However, by carefully choosing and monitoring service providers, 401(k) plan sponsors can protect themselves and their employees from cybersecurity threats.

Originally published by Society for Human Resources Management

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.