Cybersecurity Incident? New Reporting Rule Approved by SERS Board

SERS continues to increase security protections and upgrade functionality to protect member data.

At its July meeting, the Retirement Board approved a rule stating that an employer must notify SERS if they experience a cybersecurity incident impacting them and prompting the need for response and recovery.

A cybersecurity incident includes ransomware or an employer business email compromise that may place a member’s personal data at risk. Member personal data includes full legal name, date of birth, home address, email address, Social Security Number, driver license number, state identification card number, School Employees Retirement System account username, School Employees Retirement System account password, record of contributions, or financial account numbers.

The rule requires an employer to provide notification of the cybersecurity incident to SERS by telephone or email within 72 hours of the discovery of the incident.

If you experience a cybersecurity event that has been determined to have an impact on you prompting the need for response and recovery, notify Employer Services at 1-877-213-0861 or employerservices@ohsers.org within 72 hours of discovery of the incident.

Please provide the following:

• The date and time of the incident
• The name of the employer cybersecurity incident representative and contact information
• The nature of the cybersecurity incident, including any potential impact on a member’s personal data or email communications from employer
• A description of personal data involved in the cybersecurity incident
• The employer action taken to mitigate the cybersecurity incident and secure compromised systems

 

If you have questions regarding this information, contact Employer Services at 1-877-213-0861 or employerservices@ohsers.org.