plans are ripe with information that may be vulnerable to a data breach. Protecting plan information is often overlooked by plan sponsors when devising their cybersecurity strategies. However, Employee Retirement Income Security Act (ERISA) Section
404 requires benefit plan sponsors and other fiduciaries to administer plans with the “care, skill, prudence, and diligence under the circumstances that a prudent person acting in a like capacity and familiar with such matters would use.”
And Department of Labor (DOL) Reg. Section 2520.104b-1(c) and DOL Technical Releases 2011-03 and 2011-03R impose obligations to ensure that electronic systems protect the confidentiality of personal information. Accordingly, employee benefit plan
sponsors have a fiduciary duty to protect the information of the plan and its participants from unauthorized use. Part of this fiduciary duty is to have a cybersecurity plan in place that includes procedures to prevent and respond to threats.
Employee benefit plans maintain a significant amount of sensitive information, including names, birth dates, Social Security numbers, hire dates, retirement dates, compensation, addresses, and bank account information. This information is often shared
with third-party service providers, including payroll service providers, trustees, custodians, claims processors, and recordkeepers. Hackers find sensitive plan information attractive, not only for identity theft purposes but also to gain the ability
to request participant loans or benefit payments under false pretense.
Addressing and remedying a cybersecurity breach once it occurs can be costly for plan participants and plan sponsors. Participants can experience monetary losses, and plan sponsors will be liable for the expenses associated with investigating an incident
and restoring losses to plan participants.
Cybersecurity threats to employee benefit plans take many forms, including phishing techniques to falsely obtain log-on credentials, malware that compromises websites, ransomware to seize a hard drive in exchange for payment, among others.
In November 2016, the ERISA Advisory Council on Employee Welfare and Pension Benefit Plans (the council) issued a report to the DOL, Cybersecurity Considerations for Benefit Plans. The report examines and recommends cybersecurity considerations
as they relate to employee benefit plans. The council focused specifically on strategies that can be scaled or adjusted based on sponsor and plan size, type, resources, and operational complexity in order to provide useful information to plan sponsors,
fiduciaries, and service providers in evaluating and developing a cybersecurity risk management program. The council also created materials for plan sponsors and fiduciaries to use when developing a cybersecurity program.
The council identified several areas to focus on for more effective employee benefit plan cybersecurity practices and policies:
- Obtain a thorough understanding of the data and assets used and shared as part of the plan’s administration.
- Emphasize the importance of plan sponsors vetting service providers regarding cyber risk and negotiating contract provisions that mitigate risk to the plan.
- Understand whether current insurance covers a cybersecurity breach, and consider the need for stand-alone cyber-related insurance.
The AICPA has a Cybersecurity Resource Center and cybersecurity reporting models, including a Service Organization Control (SOC) report. The SOC for cybersecurity is an examination engagement performed in accordance with AICPA’s clarified attestation
standards on an entity’s cybersecurity risk management program. The AICPA also issued Cybersecurity and Employee Benefit Plans: Questions and Answers, which was prepared by the Employee Benefit Plan Audit Quality Center (EBPAQC) to help
auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with clients.
The Q&A document prepared by the EBPAQC focuses on assisting the plan auditor when discussing how the plan sponsor monitors service providers and their responsibility to understand how the plan’s service providers protect and store participant
data. One key consideration is often overlooked by plan auditors: they, too, handle sensitive plan and participant information while performing the audit of the plan’s financial statements. Plan auditors should go beyond redacting sensitive
plan information in the engagement workpapers and databases. They may want to develop their own cybersecurity strategy that includes measures such as encryption, computer-use policies, and employee training.
Plan auditors are a service provider to an employee benefit plan, and the need to be knowledgeable and prepared regarding cybersecurity is becoming increasingly important. Don’t forget to address in-house matters while advising clients to address
JulieAnn C. Verrekia, CPA, is director of quality control with Torrillo & Associates LLC in Glen Mills, and a member of the
Pennsylvania CPA Journal Editorial Board and the PICPA Employee Benefits Plan Committee. She can be reached at firstname.lastname@example.org.