Cybersecurity breaches make headlines regularly, and the field is becoming increasingly complex as new threats emerge. This Q&A-style article is part two of a series highlighting key concepts and legal considerations for creating and maintaining a cybersecurity compliance action plan. This particular article focuses on finding responsible service providers, ensuring their compliance aligns with your plans and offices, and maintaining a relationship of compliance with these providers over time. 

1. Why do I need to address cybersecurity with service providers? 

The cybersecurity compliance process does not end with hiring an IT professional or third-party administrator. Though delegation of responsibility is an important part of your action plan, it is only a first step in an ongoing, dynamic process. Both ERISA rules and federal regulations require all ERISA plan fiduciaries to use reason and prudence in selecting service providers, to require those providers to follow the rules that apply to your plan, to monitor the providers you select, and to take swift and appropriate action when concerns arise. This process extends from initial interviews with providers until the last bit of protected information is either destroyed or returned to you. These duties apply even after your contractual relationship has ended. As with any fiduciary duty, personal liability could result if appropriate action is not taken and a breach occurs.

2. Where are your service providers in the compliance process?

Service providers should be fully compliant with all requirements of the laws and regulations that apply to your plans and offices. Providers should furnish information about their compliance with the same best practices you have learned and used to evaluate your own in-house cybersecurity. If subcontractors are used, they must be held to the same standards and answer the same compliance questions as your offices and plans. Regular communication and evidence of a dynamic process with consistent evolution to ward off emerging threats is essential. The more documentation you have illustrating compliance with best practices, the better.

3. Who do your providers use to help them achieve compliance?

Any cybersecurity compliance program is only as strong as the weakest point of contact with protected information. Service providers must identify any entity associated with or providing services to them. All questions about security, the use of protected information, or contractual and insurance protections should be seriously addressed in sufficient detail, with documentation to back it up. Any business conflicts or incentives should be identified and addressed early in the process. Promises or guarantees must be in writing. Any question you ask your own plans or offices and service providers must be asked of any and all related entities. You should have access to documentation confirming compliance.

4. How often do I need to check in with my service providers? 

Regular monitoring is the legal standard. At minimum, annual reviews are recommended. Additionally, address cyber protection and insurance coverage at every contract change or renewal, whenever policies and procedures change, and whenever an incident —  not just a breach — occurs. A business merger or acquisition should prompt inquiries as if you are beginning a relationship with a new company. You should be told when any service provider or third party has a cybersecurity incident — not just a breach — or is in the news or social media as impacted by an incident, with regular updates until the matter is fully resolved. 

5. What are “red flag” responses from my service providers?  

Challenge providers who deliver a different product or response than was promised in initial presentations and marketing communications. If a statement is unclear or vague, it should be immediately clarified upon inquiry. Contract terms that unfairly place liability on you or the plan, or aggressively limit the liability of the service provider, are not acceptable. Each party should bear responsibility for regulatory penalties or fines for their breach, which can be the most expensive part of an incident. Inconsistent communications should be rectified quickly, along with an explanation of how and why they occurred. Insurance coverage should be sufficient to cover costs of litigation, audit defense, and notifications to participants, along with the cost of correcting the breach and any fines or penalties. 

6. How else can I protect my union and fund office?   

Be proactive. Encrypt everything, in movement and at rest. Pay attention to news and social media breach notices and find out whether the entities named have ever had access to information from your offices or plans. Document everything that shows your effort and decision-making prudence. Be curious about new technology, how it is used, and how it can be misused. Talk with others in your industry about what they are doing proactively to protect their offices and plans. Talk with professionals at conferences and training events and take any new or unusual ideas back to your professionals for evaluation. Pay attention to the process and evolve with technology.