Trustee Responsibilities for Cybersecurity

In June 2016, 91 deferred compensation retirement accounts of Chicago municipal employees were breached.

Select which categories you would like to subscribe to.


The hackers used employees’ personal information to set up web profiles that allowed them to take out loans from the employees’ retirement account. About $2.6 million was lost from the retirement accounts of 58 City of Chicago employees. The city refunded the missing money in their accounts and provided credit monitoring services to the participants affected. All types of employee benefit plans are attractive to cyber criminals because of the nature of the data they handle to operate the benefit plans.

Plan fiduciaries could be found responsible for a fiduciary breach as a result of a cybersecurity breach. A cybersecurity breach in employee benefit plans has significant impact on plan sponsors, plan participants, beneficiaries and service providers, not to mention the significant costs to recover from the breach. Plan operations may be significantly disrupted. Plan participants may lose their confidence in plan sponsors and service providers, which may take years to recover. Breach of ePHI (Electronic Protected Health Information) could result in violation of HIPPA (Health Insurance Portability and Accountability Act of 1996) and subject the plan to fines or settlement.   

What are trustees’ responsibilities in cybersecurity?

  1. Establish a strategy against cybersecurity attacks and prepare for a possible breach:
    • Understand the electronic data handled within the plan and create policies and maintain up-to-date system technology to prevent and identify a breach.
    • Document the overall process of responding to cybersecurity breaches and any steps to take corrective action in case of an actual breach.
    • Establish procedures for trustees in communicating with plan participants upon the breach.
    • Consider data retention and destruction.
    • Consult a cybersecurity expert when establishing a strategy and legal counsel to determine compliance requirements.
    • Obtain a business insurance policy for cybercrime coverage.
  2. Perform due diligence on data security of service providers who work with the plan’s participant and plan data:
    • Monitor the service providers’ process of handling PII (Personally Identifiable Information) and ePHI and understand how they impact the plans.
    • Understand the control environment of those outsourced activities to other service providers.
    • Negotiate contract provisions to mitigate the costs of responding to a security breach.
  3. Create a culture where top management truly cares about protecting participant data:
    • Train and manage employees who work with participant and plan data to ensure established controls are carried out.
    • The tone at the top helps all levels of employees to recognize it as important.

What information is at cybersecurity risk in employee benefit plans?

  • PII, such as social security number, date of birth, e-mail address.
  • ePHI, such as medical ID, medical claims records.
  • Participants’ retirement plan account number and account balance.
  • Plan investment transfers.
  • Cyber criminals steal participant data, make fraudulent transfers of plan assets, make loans from participants’ accounts and steal participants’ account balances.

What are the common schemes of a cybersecurity attack?

  • Phishing - A fraudulent practice of obtaining log-on credentials and passwords to send emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and bank account numbers.
  • Ransomware - A type of malicious software designed to block access to a computer system until a sum of money is paid. Typically installed in a system through a malicious e-mail attachment or link. 
  • Cyber criminals use technology to commit malicious activities on systems or networks with the intention of stealing sensitive company information or personal data, and generate profit.
  • Anti-virus and anti-spam software does not protect from a cybersecurity attack.

ERISA (Employee Retirement Income Security Act of 1974) regulates benefit plan sponsors and their fiduciaries to administer their plans with due diligence for the exclusive benefits of participants and beneficiaries. Due diligence is extreme care. With cybersecurity attacks on the rise, it is the trustees’ responsibility to provide extreme care in preparing for cybersecurity attacks. For more helpful cybersecurity considerations for managing cybersecurity risks and developing a cybersecurity plan for employee benefit plans, please refer to the 2016 DOL Advisory Council Cybersecurity Report.

Select which categories you would like to subscribe to.