Because it has been the topic of too many news headlines recently, cybersecurity is an increasing concern for everyone, including plan sponsors and plan fiduciaries. A cyber-breach is bound to happen to any entity, whether it is an intentional breach caused by a hacker or a breach caused by an employee misstep or oversight. Unfortunately, it is not a matter of “if” a breach will occur, but “when” a breach will occur.
Plan Sponsors and Plan Fiduciaries have a fiduciary responsibility to protect plan data (Names, Addresses, Social Security Numbers, Dates of Birth, Financial Information, etc.) An outsider or even an employee who shouldn’t have access, gaining access to plan data could be detrimental to the identities of the plan participants and beneficiaries, as well as costly to the plan sponsor. So, what can plan sponsors do to address cybersecurity risks?
Develop a Strategy
Each plan sponsor should develop and maintain a written cybersecurity risk management strategy. Risk management is the ongoing process of identifying, assessing and responding to risk. Start by identifying any risks and brainstorming ways to mitigate those risks. Is there a possibility of a breach occurring due to the way plan data is stored, handled, accessed or transmitted? Should employees email participant data directly to service providers or should there be secure file transfer protocols in place? Should the data be encrypted? Do we need to call YHB’s Risk Advisory Services team to help us determine where our risks lie? Should we require mandatory training on cybersecurity for all employees? All of these questions and more should be addressed. Once the risks are identified, determine the impact of those risks and how you plan to respond to them. Enlist the help of your IT department (believe it or not, they know a lot about this stuff), but be involved because you understand more than anyone the information that is at risk.
Keep an Eye on Service Providers
Identify all plan service providers who will have access to plan data. This includes record keepers, custodians, trustees, and even auditors. Any vendor who has access to plan data should be identified. Sometimes it may even be necessary to inquire about your vendors’ vendors if they will have access as well. Once you identify your providers, take a look into their security policies and controls and how they plan to address cybersecurity risk. Review their SOC 1 and SOC 2 reports. Review all contracts and agreements with the providers. Amendment to these agreements may be necessary if they do not include wording regarding their responsibilities for data protection and fair allocation of liability if a breach were to occur. You want to make sure that if a breach on the plan’s data occurs while in their hands, they have protocols in place and will take responsibility.
Evaluate Insurance Coverage
Traditionally, the standard commercial insurance policies that plan sponsors have provide little or no coverage for cybersecurity risks. Plan sponsors should review insurance coverage for data breach events and should consider the purchase of cybersecurity insurance. Should a breach occur, this insurance could cover legal services, forensic services to identify the source of the breach, notification of regulatory authorities, and management of participants, which includes notifying them, answering any questions, and providing credit monitoring services and identity theft recovery services.
Cybersecurity is a growing concern for all entities and no one is exempt from the risks. Although there is no way to completely eliminate cybersecurity risks, taking responsibility and having a strategy in place will give you peace of mind when a breach occurs.
Whether you’re looking for assistance in setting up and administering a retirement plan for your employees, or need a plan audit, you want professionals who specialize in providing benefit plan services and can deliver what you need in a timely, tax-efficient and cost-effective manner that satisfies all pertinent requirements. Whether it is our Risk Advisory Team or Employee Benefit Team, YHB stands ready to provide assurance to your controls.
About the Author
Nykeya is a key member of YHB’s Employee Benefit Services Team. She joined YHB in 2012 and became a licensed CPA in 2014. Nykeya has supervised audits across various industries but her career focus has been in the audit of employee benefit plans.