Best Practices for ERISA Fiduciary Responsibilities and Cybersecurity for Retirement Plans

Thomson Reuters Practical Law July 2020

Michelle Capezza and Christopher Lech, attorneys in the firm’s New York office, co-authored “Best Practices for ERISA Fiduciary Responsibilities and Cybersecurity for Retirement Plans,” a Practice Note published by Thomson Reuters Practical Law.

Following is an excerpt (see below to download the full version in PDF format):

The Employee Retirement Income Security Act (ERISA) imposes specific duties and obligations on employers, individuals involved with retirement plans and other entities, including special rules applicable to those falling within the definition of a “fiduciary” in ERISA Section 3(21) (29 U.S.C. § 1002(21)).

Data and personally identifiable information (PII) have become increasingly more vulnerable to attack as it travels on employer and third-party systems. This has been partially due to the recent advancements in plan administration, technology, online enrollment and electronic access to account information, electronic delivery of disclosures including benefit statements, as well as benefit plan transaction processing (including self-certifications of distributions). In today’s world, most transactions involving retirement plans are conducted electronically, including maintaining and sharing data and information across multiple platforms.

With the ongoing advancements in technology (including technological tools that have emerged to aid in the administration and delivery of employee benefits) and the novel cybersecurity risks that those advancements bring, there is widespread concern for both:

  • The security of the employee data that is collected, transmitted, processed, and stored for employee benefit plans.
  • The security of the assets in participant accounts.