One of the last things pension plan participants would want to learn as they get ready to celebrate the Christmas holiday is that personal data from their pension accounts may have been compromised. This is the case, unfortunately, for approximately 30,000 Now:Pensions customers whose names, postal and email addresses, birth dates and the equivalent of Social Security numbers were hacked and posted on line. According to reports, the UK company, which helps to administer millions of workplace pensions, attributed the incident to a third-party service provider.
Of course, the challenge of managing the cybersecurity risk of third-party service providers does not exist solely across the pond. During a recent SPARK Cybersecurity Virtual Event, Tim Hauser, Deputy Assistant Secretary for National Office Operations at DOL’s Employee Benefts Security Administration (EBSA), observed
When a plan fiduciary is hiring somebody who is going to be responsible for confidential, personal information, or who’s going to be running systems to keep track of people’s account balances and the like, there’s a responsibility to make sure that you’ve hired that person prudently, that firm prudently…And if you think about plans and the universe I described, that’s just shy of $11 trillion, and with personal health and pension data, there are a lot of tempting targets there and what we’ve seen in our own enforcement actions, especially in our criminal programs, vulnerabilities are taken advantage of.
According to Hauser, the U.S. Department of Labor is developing guidance for plan sponsors in the U.S. that would cover cybersecurity issues and third-party service providers for retirement plans.
Just as so many other organizations affected by a breach experienced by one of their third-party service providers, Now:Pensions has provided notification to pension account holders and regulators. Reports indicate the breach occurred over a three-day period in mid-December and the compromised data had been obtained “by an unknown third party.”
At this point, similarly-situated organizations might be considering whether to move away from the service provider that caused the incident. Here are some reasons why that may not be the best course of action. However, one to-do list item that should be a given following a breach like this is to revisit the procurement process for selecting service providers, update it as needed to make sure it appropriately addresses cybersecurity risks, and ensure it is prudently implemented.
When it comes to ERISA employee benefit plans, hiring a service provider is in and of itself a fiduciary function. When considering a plan service provider’s level of cybersecurity, there are a number of steps plan sponsors and administrators can take to prudently assess the data privacy and security capabilities of potential plan service providers. Some examples include:
- Take the general threats and vulnerabilities of plan service providers into account when conducting the organization’s enterprise data security risk assessment.
- Meet with the service provider’s IT lead, but also others in the service provider’s organization – legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the service provider.
- Require the service provider to complete a detailed list of pointed data privacy and security questions, the answers to which to be actively evaluated by your IT team, counsel, and/or consultant.
- Ask about prior data security incidents and how they were handled.
- Review the service provider’s policies and procedures.
- Require the service provider to submit to an independent data security audit/review, penetration test.
- Ask the service provider about its data breach response plan, and how often it is practiced. Plan to include the service provider when you practice your own response plan, and gauge their openness to that.
This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the service provider presents. In addition, it is appropriate to incorporate appropriate representations and additional protections concerning data privacy and security in the ultimate services agreement. The point is that because of the critical role service providers play, and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to evaluate plan service providers privacy and data security risk should happen at the procurement stage and on an ongoing basis, not just when a breach happens.