Cybersecurity breaches are making headlines daily, and the field is becoming increasingly technical and complex as new threats emerge. This article highlights key concepts and legal considerations for creating and maintaining a compliance action plan.

1. Where are you in the process?

If you’ve only been “thinking about” assessing your hardware and software, have obtained quotes but haven’t acted, or haven’t revisited your cybersecurity training in a year, you’re behind! If your organization works with ERISA funds, the Department of Labor (DOL) believes you’ve had years to establish compliance with their cybersecurity best practices. Immediate action toward compliance is imperative. While the expense of compliance might seem substantial, the cost of a single security breach could far exceed your entire budget. You could face demands from cybercriminals, potential fines from the DOL, legal action for negligence, or all the above!

2. Who can help you achieve compliance?

Guidance on cybersecurity changes frequently and rapidly — think about how swiftly technology evolves! Dedicated cybercriminals are constantly working to outpace IT industry designs and protections. Protecting your assets involves both preventive and reactive processes. What you learn today will change over time; it’s the nature of the beast. Set your office up for success by treating this as an ongoing, regular initiative — not something you address a few times a decade.

3. Who can help you achieve compliance?

Guidance on cybersecurity changes frequently and rapidly — think about how swiftly technology evolves! Dedicated cybercriminals are constantly working to outpace IT industry designs and protections. Protecting your assets involves both preventive and reactive processes. What you learn today will change over time; it’s the nature of the beast. Set your office up for success by treating this as an ongoing, regular initiative — not something you address a few times a decade.

4. Can’t I just have my IT team handle this?

No! IT policies and procedures are not the same as Legal Compliance Policies and Procedures or Administrative Office Policies and Procedures. IT professionals are experts in the fine details of your cybersecurity design and can help implement applications to protect hardware and software. However, their focus is on compliance within their industry standards, which often differ from the standards of your industry. They may not know how to help you document the plans, policies, and procedures required to prove legal compliance. They also won’t necessarily know better than you what steps individuals using the system should take before contacting them if something adverse happens, or how to plan for business continuity during recovery.

A good IT professional will explain how their services meet applicable legal standards. But don’t rely on them to draft your internal policies and procedures for disaster recovery and business continuation plans. They should be involved and can help describe how their services fulfill your specific requirements, but your attorney and administrative professionals should collaborate to draft the legally required documents. You’ll often find more business considerations than anticipated by compliance regulations. Regulators draft regulations to apply broadly to all types of entities but often fail to consider significant differences in how industries operate.
Boilerplate policies and procedures won’t suffice and instead must be written specifically for your office.

When considering any actions taken, uphold this crucial maxim: If you don’t document it, it never happened. Retain all risk analyses and resulting policies and procedures. Regulators will look more favorably on an ongoing analysis and solution process than a single effort. It’s recommended to maintain separate binders or files categorized by years.

5. How else can I protect my union?

Consider cybersecurity insurance and ensure you understand the coverage. Coverage applications and renewals will ask for detailed information on your cybersecurity practices, which will be used for legal considerations.

Examine your cyber insurance policy carefully, including its terms and coverage limitations. As risks become more complex and more claims are filed, insurance companies revise contract coverage and exclusions annually to meet underwriting risk requirements. A good broker will help you understand changes as they occur. Many exclusions apply to human errors by internal office employees or third-party administrators. This means you’ll need to train your staff regularly on how to avoid breaches resulting from human decision-making, like believing a caller is a bank representative without verifying their identity. Such mistakes may not be covered by your cyber insurance policy, as opposed to a criminal exploiting a new coding gap in a firewall (assuming no one turned off the firewall).

Carefully evaluate your coverage limits and how much you can afford to spend out of pocket. Many policy limits are woefully inadequate. Some cybercriminals demand multiple millions of dollars in ransom. Even with insurance coverage, any amount exceeding the policy limits comes out of your reserves. This exposes fiduciaries to lawsuits claiming mismanagement of funds, which could result in personal liability for the excess, plus interest and any other damages resulting from inadequate coverage.

6. We don’t have written cybersecurity policies. Where do we start?

Begin by ensuring all private information is encrypted, both at rest (within your system) and in transit (emails or other methods of external sharing). Your IT professionals and attorneys will have compliance checklists for you, which will help tailor resources to your needs. To prepare for meetings with them, create a list of your hardware and software, including each item’s age, specifications, features, update frequency, general usage, number of users, and any features you like or wish operated differently. Note any strengths and weaknesses you’ve already identified. Consider all types of computers and what information and systems each accesses — smartphones count!

You need to understand the features and needs specific to your organization so your professionals grasp what’s most important to you. Gather any plan documents, policies and procedures, manuals, and other written materials that discuss technology use or security and privacy expectations. Talk with your users to gauge their expertise with the technology and any specific questions or concerns they have regarding privacy and security. If they have specific scenarios in mind, note them. Include all individuals who have access to any of the listed items, no matter how infrequent.

Your goal in meeting with IT and legal is to create a list of your biggest risks and determine which to address first. If your fiduciaries are less concerned with certain identified risks than you are, ensure they understand the risks in practical terms. Search for news stories of security incidents involving those risks to help them comprehend real-world applications of these concepts, which can be difficult to navigate through the compliance process. Regardless, any action plan should be presented to and approved by your plan fiduciaries. The risk is too big, the expense too great, and the subject matter too complex to exclude any decision-makers.