401(k) Plan Sponsors Should Be Prepared When a Cybersecurity Issue Occurs

In a recent article from www.plansponsor.com ELIZABETH HARRIS shares some important information that plan sponsors can use in the event of cybersecurity challenges.

Those with experience say ‘clear, concise communications’ and coordination with partners are vital in crafting an effective response.

WHEN MICHAEL P. KREPS, a principal with Groom Law Group, helped draft a letter informing participants at two plan sponsors of a subcontractor’s data breach, he did not expect completely different reactions from each group. In the first instance, there was zero participant response after learning that information had been hacked. In the second, more than 300 participants called a toll-free number with questions.

“I can’t find any reason why one would have such a massive response,” Kreps says about the challenges inherent in delivering bad news. “So, we’ve defaulted toward clear, concise communications to people to tell them what happened, how you’re addressing it and flagging risks for them.”

The question of how plan sponsors can most effectively respond to and communicate news of a data leak to their participants has been a central topic for years. But a new Securities and Exchange Commission rule in effect this year outlining how quickly public companies must disclose material cybersecurity events is expanding ongoing discussions about best practices for disclosure and prevention. Plan sponsors, attorneys, consultants and cybersecurity experts are helping hone and assess new approaches and responses intended to inform—without alarming—participants of a potential breach.

Meticulous Planning

For Stacy Hughes, the Atlanta-based chief information security officer at Voya Financial, the time to craft a response to a potential cybersecurity threat is long before any incident occurs. The main thrust of the new SEC rule requiring more rapid disclosure focuses plan sponsors on determining what is considered material for the organization, since the new rules stipulate disclosing such events with new Form 8-K within four business days. In addition, she emphasizes the importance of new disclosures in the company’s annual report that describe plan sponsors’ cybersecurity programs fully. Beyond the new specific requirements, Hughes see plan sponsors’ broader and ongoing responsibilities in preparing responses coalescing around three areas: people, process and technology.

“I would encourage everybody to look at making sure, in a couple of different areas, ‘Do we have staff committed to that function within a plan sponsor?’ and then also making sure you’ve got diverse security experience and background within your organization,” Hughes says. “Looking at it from a people perspective, really having a robust security awareness and employee training program year-round.”

Creating a detailed approach ahead of time and assigning people to monitor and respond to any potential threat is essential to being prepared should a breach occur, Hughes says. To encourage best practices, Hughes advises drafting a RACI, (Responsible, Accountable, Communicated, Informed) matrix that clearly outlines roles and responsibilities for everyone in an organization should its cybersecurity be compromised.

The next step involves testing that plan in a tabletop exercise on an ongoing, regular basis and including all stakeholders, she says. Hughes finds it useful for teams to role-play common risks, including a scenario in which a business email has been compromised or a ransomware attack happens, she says.

“It makes what I like to call ‘muscle memory:’ When you’re in the moment, you know what to do,” Hughes says.

Advanced preparation is also key for Kelly Lazzara, senior compliance counsel in Gallagher’s Financial and Retirement Services Practice, based in Pittsburgh.

“The best practice with respect to anticipating, preventing and then, of course, responding to a cybersecurity incident from a provider is already having a plan in place,” Lazzara says.

Even if a breach occurs externally, Lazzara recommends that plan sponsors create what she calls a SWAT team, or an incident response team, internally that would typically include the chief information security officer, legal counsel and the human resources and retirement teams.

To read the article on Plansponsor.com’s website in its entirety please click here.

Copper Leaf Financial, LLC is a fee-only, registered investment advisor, serving clients nationwide from offices in Williston and Rutland, VT. One of the firm’s main areas of focus is on providing 401k retirement plan solutions for businesses. Copper Leaf is part of a group that serves more than 1,500 retirement plans and is helping over 50,000 Americans on their journey to retirement.  Our approach is based on a simple fiduciary promise: to do what’s right for you, your company and your employees, no matter what. In addition to building new plans we offer employers with existing retirement plans a complementary second opinion on the health of their plan.

Recipients should not act on the information presented without seeking prior professional advice. Check with your advisor about your specific situation.