Support through your toughest HR challenges: A network of 285,000 HR professionals.
Shawn Premer shows how doing the right thing for employees leads to positive business results.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Employers must carefully choose and monitor third-party administrators
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
To attract and retain the best employees, a 401(k) plan is a must. Operating a 401(k) plan, however, involves many responsibilities, including drafting and maintaining plan documents, communicating with employees, calculating and distributing benefits, and protecting plan assets. Most employers delegate some or all of these responsibilities to third-party administrators (TPAs) who, to perform services, collect and hold sensitive employee information such as addresses, birthdates, compensation data and Social Security numbers.
Yet, with all of this sensitive information changing hands, 401(k) plan cybersecurity is often an afterthought, even at companies that take great care to protect their businesses from cyberthreats. Because there are no cybersecurity rules or standards that directly and specifically address 401(k) plans, it is hard to know where to begin. It is also tempting to assume that TPAs have adequate cybersecurity controls in place. However, there are many reasons employers should spend more time protecting their plans—and there are ways to do so.
Cybersecurity Rules and Standards of General Application
Although no cybersecurity rules directly address 401(k) plans, many state laws require employers to protect personal information and take specific actions in the event of a breach.
[SHRM members-only HR Q&A:
How can I ensure my company protects personal employee information?]
Under these laws, employers are held responsible for TPA noncompliance. It is therefore vital that employers contractually ensure that each TPA is complying with these state laws and that the employer is protected if the TPA breaches these laws.
There is ample inspiration for best practices. For example, under the New York Department of Financial Services' cybersecurity regulation, banks and other financial institutions doing business in New York are required to designate a chief information security officer, create and annually update a robust plan for security breaches, conduct evaluations of security vulnerabilities, and require cybersecurity training. It is reasonable to ask any TPA to meet similar standards.
The Employee Retirement Income Security Act (ERISA) holds employers that sponsor 401(k) plans to a high fiduciary standard of prudence, which incorporates a requirement to carefully choose and monitor TPAs. It is reasonable to infer that the prudence standard requires employers to negotiate their TPA contracts so that participants' savings and personal information are protected from cyberthreats.
Proactive Steps for Plan Sponsors
When hiring a TPA or renewing a TPA service contract, employers should negotiate strong and specific cybersecurity protections into the contract, including the following:
Smaller employers generally have limited bargaining power and may have little success negotiating for employer-friendly cybersecurity provisions. That said, employers of all sizes should, at the very least, strive to meet the ERISA prudence standard, including by comparing proposals of several TPAs every few years and making good-faith negotiation attempts.
For most companies, 401(k) plan cybersecurity is not a priority. However, by carefully choosing and monitoring service providers, 401(k) plan sponsors can protect themselves and their employees from cybersecurity threats.
Patricia Moran is an attorney at Mintz Levin in Boston.
Related SHRM Article:
Guarding Benefit Plans from Cyberattacks, SHRM Online Benefits, July 2017
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 3,200 companies