The loss of employee personal information due to a cybersecurity breach is an ever increasing concern to all employers. Most companies have retirement plans and typically the information maintained within the plan includes employee name, date of birth, address, social security number, compensation and other financial information. This information is provided to the plan record keeper and other plan service providers and the information is sufficient to steal one’s identity.
The cost of a cybersecurity breach, including detecting the extent of the break-in, recovering data and restoring systems integrity, can be substantial for plan sponsors and plan service providers. The Department of Labor (DOL) has expressed concerns that employee benefit plan (EBP) administrators may be vulnerable to cyber-attacks and thus exposed to risks related to privacy, security, and fraud. In the present day, third party administrators (TPA) and EBP administrators transmit EBP transactions electronically, therefore, they are exposed to higher cybersecurity-related risks than other corporations that may be able to have a closed system.
In light of all the potential cybersecurity-related threats, the DOL stresses to EBP administrators that ensuring the security of EBP data related to their employees’ sensitive information is deemed to be part of their fiduciary responsibility.
Most EBP administrators may be under the impression that anti-virus and anti-spam software installed protects them from these risks. They further may believe that by involving TPAs to handle EBP related transactions that would be sufficient to tackle cybersecurity-related concerns. Considering all the potential threats involved, relying solely on TPAs or software does not ensure that EBP sensitive data is protected against potential cyber-attacks.
To protect against a cyber-attack, the DOL is recommending the following for EBP administrators:
As auditors, we recommend reviewing the Service Organization Controls (SOC) 1 reports of TPAs to ensure data security related controls are addressed. Additionally, those charged with plan governance should develop a customized strategy to ensure the above necessary steps are followed to prevent cyber-attacks within their organization.
Finally, eliminating all risk of cyber-attacks is not possible, so plan sponsors and those charged with governance need to assess their plan’s risks and develop specific strategy to address those risks as unfortunately, there is no “one-size-fits-all” approach related to cybersecurity and its not “if” there will be a breach its usually “when.” What will that cost your organization?
|Jennifer Keshwar, CPA
(407) 581 2297
The information contained herein is not necessarily all-inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriately qualified professionals for your plan’s individual facts and circumstances.