Action steps to help safeguard plan participants’ financial and personally identifiable information

From fostering a workplace culture centered on supporting the physical, emotional, career and financial wellbeing of employees to ensuring that benefit programs are compliant with local, state and federal requirements, effectively protecting the wellbeing of your employees connects directly to protecting the wellbeing of your organization overall. Compliance Connections delivers monthly, actionable guidance designed to help you manage and optimize the connections between the compliance of your benefits and human resources programs to overall organizational wellbeing. In addition to a health pandemic, a pandemic of cyberattacks arose during 2020 and continues into 2021. Cybersecurity is a major concern in the context of employer-sponsored benefit plans because plan participants' financial and personally identifiable information is maintained and shared with multiple parties. To help you assess and mitigate your organization's risk related to safeguarding this information, we explore some important action steps below.

Begin with a solid working knowledge of the current cybersecurity threat landscape. Recent days have shown a disturbing trend in ransomware attacks, as hackers became more calculating in whom they targeted and the ransom amount they expected to collect. Today's ransomware attacks often target managed security service providers (MSSPs) that frequently act as outsourced IT vendors to hundreds, if not thousands, of other companies. By attacking them, hackers can impact all of an MSSP's clients in one efficient cyberattack. Unlike ransomware attacks in previous years, today's cybercriminals have drastically increased their extortion demands by routinely demanding six-figure sums to release data, with occasional extortion attempts reaching multimillion-dollar amounts. Failure to meet these demands often results in threats to release the victim's most sensitive data to the public, because the newest ransomware variants work not only to freeze data, but to also exfiltrate data. This often creates legal liability for the victim company, including mandating notification to affected individuals and regulators, on top of what often results in significant downtime, unforeseen extra expenses, and lost business. In fact, the extended downtime can lead to lost business costs that are exponentially greater than the extortion demand itself. What are you doing to stay informed about current types of cyberattacks?

Develop and document a formal cybersecurity program. On April 14, 2021, the U.S. Department of Labor (DOL) issued retirement plan cybersecurity best practices guidance. This is the first guidance issued to retirement plan stakeholders and, although informal, clearly indicates that the DOL views cybersecurity risk mitigation as a fiduciary responsibility. This guidance is directed specifically to the retirement plan arena, but can be extrapolated to best practices for employee benefits cybersecurity in general. The DOL recommends, as a best practice, the development and documentation of a formal cybersecurity program that identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information. A well-designed program will protect information from unauthorized access, use, or other malicious acts and will establish strong security policies, procedures, and guidelines to accomplish that protection. What action does your organization need to take to document and formalize or update your cybersecurity program as it relates to your employer-sponsored benefits?

Exercise wise decision-making in selecting service providers. The DOL indicates that prudently selecting service providers is a fiduciary responsibility under ERISA. Best practices in the area of service provider selection include asking about a potential service provider's security standards, practices, and policies, as well as inquiring about audit results and comparing those to industry standards. As the DOL notes, a fiduciary can have more confidence in service providers whose systems are backed by annual audit reports. Other important considerations include asking a service provider how it validates its practices, and what levels of security standards it has met and implemented; evaluating the service provider's track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to a vendor's services; and asking whether the service provider has experienced past security breaches, what happened, and how the service provider responded. How does your service provider selection process investigate an entity's ability to adequately protect data it will create, receive, transmit, or maintain on behalf of your employee benefits program?

Assess your service providers' security compliance regularly. In addition to prudently selecting service providers, ongoing monitoring of service providers' security compliance can reduce exposure to risk. The DOL suggests that contracts with service providers should provide a plan sponsor the ability and the right to review audit results demonstrating compliance with the relevant level of security standards to which the service provider is held. This suggests that plan sponsors should have the right (and responsibility) to review audits during the term of a contract — not just at the initial engagement with a service provider. Plan sponsors should engage in annual information security reporting, where the service provider is required to have a third-party audit to determine and demonstrate its compliance with security policies and procedures. Existing service providers may be unwilling to renegotiate the terms of their service agreements prior to the expiration of the contracts, but plan sponsors should consider reaching out to their service providers to see how their service agreements and current cybersecurity practices measure up to these standards. What level of oversight do your service provider agreements allow so that you can ensure the providers' security policy and procedure compliance?

Train (and retrain) your employees at least annually. Many cybersecurity breaches are the result of employee errors or accidental exposure of data. From an employer and from a plan fiduciary perspective, providing education and reminders about personal and professional cybersecurity safety is crucial. The DOL's tips include a reminder that a comprehensive cybersecurity security awareness program is important to educate employees so they can help prevent cyber-related incidents. An important component of training, which should include education about current cyberattack trends, is training employees on how to recognize and respond to threats. Among other things, security training should cover login monitoring, password management, and protection against malicious software (such as avoiding phishing scams). What steps do you take to educate all of your employees about cybersecurity?

This is a preview edition of Compliance Connections, a monthly publication produced by Gallagher's Compliance Consulting Practice. For five more action steps, contact your Gallagher representative or visit our Compliance Resources page to subscribe and receive the full version of this publication each month.


Compliance is a series of actions, not a final destination. As a trusted advisor, Gallagher has developed this Compliance Connections series to help you pursue a path through employee benefits compliance issues as part of an overall continuing compliance plan. Plan sponsors should carefully evaluate their health and welfare plans to determine if they are in compliance with both federal and state law. If you have any questions about one or more of the compliance requirements listed above, or would like additional information on how Gallagher constantly monitors laws and regulations impacting employee benefits in order to support plan sponsors in their compliance efforts, please contact your Gallagher representative.


The intent of this analysis is to provide you with general information. It does not necessarily fully address all your organization's specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues should be addressed by your organization's general counsel or an attorney who specializes in this practice area.