Original post benefitspro.com

Cyber threats and attacks are so widespread that retirement plan sponsors are being warned to develop a cyber risk management strategy rather than a cyber risk elimination strategy.

That’s according to law firm Pillsbury Winthrop Shaw Pittman LLP, which said in an advisory that among other concerns, sponsors should be prepared to evaluate their third-party service providers’ cybersecurity programs and ensuring that the plans themselves have mitigated risks from losses in case of a cyberattack.

It shouldn’t come as a big surprise to anyone, considering that there’s a $5 trillion 401(k) market just sitting there waiting to be ravaged by hackers.

Considering that account holders often don’t check their accounts often enough to catch hacking attempts, and that the advisors and plan providers hold another wealth of information (pun intended) on those account holders, the retirement plan market is ripe for the plucking.

The trillions of dollars in 401(k) accounts are becoming particularly appealing to cyber criminals.

In its first of a series of advisories on cybersecurity issues regarding retirement plans, the law firm said that an effective cyber risk management strategy would include thorough due diligence by sponsors of TPAs and vendors; periodic implementation and review of contractual protections and insurance requirements in arrangements with TPAs; periodic monitoring of TPAs’ cybersecurity compliance and related risks; and consideration of whether to utilize the SAFETY Act, a liability management statute managed by the Department of Homeland Security, and purchase cyber and privacy insurance.

According to the brief, “Retirement plan sponsors and administrators could utilize the SAFETY Act in one of two ways: (1) by having their internal cybersecurity plans and policies SAFETY Act approved, thereby significantly limiting the possible scope of litigation claims they would face after a cyberattack; or (2) by requiring TPAs to hold SAFETY Act protections, as that would allow retirement plan sponsors and administrators to be dismissed from a broad array of claims alleging negligence or poor performance attributed to the third-party security products and services.”