Many plan sponsors and service organizations use electronic means to store and update participant records (which likely contain personally identifiable information), to conduct financial transactions for the plan (such as the remittance of participant and/or plan sponsor contributions), and to interface with participants (for example, permitting participants to electronically initiate a new loan or request a plan distribution). Because of this, plan administrators may be vulnerable to cyber-attacks and thus exposed to risks related to privacy, security, and fraud. It is a common misconception that anti-virus and anti-spam software protects plan administrators from these risks and that involving third party administrators (TPAs) to handle plan-related transactions is sufficient to tackle cybersecurity related concerns. However, considering all the potential threats involved, relying solely on software or TPAs does not ensure that sensitive plan data is protected against potential cyber-attacks.
To protect plan information from cyber-attacks, plan administrators and those charged with governance must exercise their fiduciary responsibility and implement processes and controls that restrict access to a plan’s systems, applications, and data, including third-party records and other sensitive information. Specifically, plan administrators should:
- Review written information security policies, including those regarding encryption;
- Conduct periodic audits to detect threats;
- Perform periodic testing of backup and recovery plans;
- Determine responsibility for losses, including adequacy of cybersecurity insurance coverage; and
- Establish training polices to reinforce data security.
As part of their ERISA duty to monitor plan service providers, plan administrators should also understand how their service providers store and protect the participant data that they handle. This includes:
- Discussing with the service providers their policies and procedures relating to data security, including passwords, use of social media, document retention, internet privacy, and other relevant issues.
- Understanding the service providers’ procedures for breach notification, including any obligations they may have to notify participants or governmental authorities.
- Reviewing the service organization’s SOC 1 and SOC 2 reports. A SOC 1 report addresses a plan’s internal control over financial reporting; however, it does not address broader entity cybersecurity controls and risk. A SOC 2 report, on the other hand, specifically addresses the cybersecurity controls and risks in the system used by the service organization to provide such services to the plan. It may also address controls relevant to the service organization’s ability to maintain the confidentiality or privacy of the information processed by the system.
The overall responsibility to ensure security over employees’ confidential information and plan-related transactions resides with the plan administrators; therefore, it is very important that they take all the necessary steps needed to ensure cybersecurity.
For more information about McKonly & Asbury’s Employee Benefit Plan services, or for questions regarding this article, please contact Stephanie Kramer, Supervisor with McKonly & Asbury, at firstname.lastname@example.org.