Cybersecurity is a term that has seen a significant increase in use over the past several years. Many companies are recognizing the importance of designing strategies and programs to identify and address cybersecurity risks to their systems. One area that can be overlooked is cybersecurity risk specifically related to employee benefit plans. A 2017 BDO Cyber Governance Survey indicated that 60% of plan sponsors are not adequately aware of these risks.
In 2016, the ERISA Advisory Council examined cybersecurity considerations related to pension and welfare benefit plans, focusing on information that would be useful to plan sponsors, fiduciaries and service providers. Employee benefit plans have increasingly become targets for hackers who are posing as participants to access account funds, or at the least, gain access to personally identifiable information (PII).
One of the characteristics of an employee benefit plan that makes it an attractive target for hackers is the numerous interfaces with plan sponsors, third parties and participants which expand the number of potential entryways for access. In addition, the current COVID-19 environment has resulted in increased requests for distributions and loans, individuals remotely accessing plan related information and companies potentially giving less attention to these assets as they focus on changes in business practices. As a result, an increasing amount of litigation related to breaches is being seen in the courts which has led to discussions on the fiduciary responsibilities in this area.
What Questions Should Fiduciaries Be Asking Service Providers?
When a plan fiduciary is hiring a service provider or performing ongoing monitoring, the plan fiduciary has a responsibility to make sure the service provider is hired prudently. At a minimum, there is an expectation that a fair amount of questions be asked when hiring or monitoring a service provider. The following are examples of some questions to ask plan service providers:
- 1) What sort of practices and policies does the service provider have to ensure their systems are secure?
- 2) Is advanced authentication used by the company?
- 3) Does the service provider have policies on storing PII? Where it is stored? How long it is stored? How it is eliminated?
- 4) Are all personnel who come in contact with PII trained on adequate protection of the information?
- 5) Are technology systems regularly patched and updated?
- 6) Do they have regular third-party audits by an independent entity?
- 7) How do they go about validating the cybersecurity strength of the systems?
- 8) What sort of track record do they have, and do they have prior incidents of cybersecurity breaches?
- a) Are they willing to talk to you about those prior incidents and what have they done to respond to them?
- b) Do they have insurance policies to make you whole and cover breaches? Or, do they have all sorts of waivers and exculpatory clauses in their contracts?
- 9) To what extent do they stand behind the security of their systems and are they prepared to commit to make you whole in the event there is a vulnerability that causes trouble?
- 10) How do they secure and monitor their end points?
As detailed in recent litigation, hackers are going through channels such as the “forgot password” button or calling the plan’s customer service line in order to gain access. Therefore, it is critical to understand how recordkeepers authenticate participants. Fiduciaries should take the time to understand if the service provider offers a multi-factor authentication and what happens when participants call into the recordkeeper’s service center. An effective process includes asking for a variety of items and ideally more high-tech tools such as tokens, etc.
What Questions Should Fiduciaries Be Asking Themselves?
Fiduciary responsibility encompasses more than just picking the right service provider. The plan fiduciary should develop an overall framework for oversight. A game plan might look something like the following:
- 1) Start discussions within plan oversight committees.
- 2) Review what the company and the service providers are doing to address risk within the organizations.
- 3) Identify the information at risk (e.g., social security numbers, addresses, bank account information, beneficiaries, etc.).
- 4) Have a plan in place to address a breach and/or mitigate the risk.
- 5) Review current industry developments and existing cybersecurity frameworks as a starting point.
- 6) Consider the AICPA’s SOC for Cybersecurity Risk Management or other cybersecurity framework like NIST, CIS Top 20, etc. (discuss if service providers have one or have considered it).
Some essential cybersecurity-related questions plan fiduciaries should ask themselves when creating their game plan include:
- 1) Can I modify the employee’s bank account detail where funds would be released?
- 2) Can I modify the address of an employee, where funds would be mailed?
- 3) How often am I reconciling balances between the “holder” of the assets and the administrator of the assets, and reviewing the changes?
- 4) How often am I reviewing individual account balance fluctuations?
- 5) Do I have alerts configured to notify myself of withdrawals, loans and transfers?
The plan fiduciary should document, review and understand ongoing updates to both internal and external cybersecurity policies related to the plan. In addition, there are growing opportunities to educate participants to help ensure they do their part to protect themselves against cybersecurity issues. Finally, plan fiduciaries may want to consider the purchase of cybersecurity insurance or include cyber provisions within existing liability policies.
What is on the Horizon from the Department of Labor?
Noting management of third-party service providers as one of the major areas of vulnerability that plan fiduciaries face, on October 28, 2020, the Department of Labor (DOL) announced that it is working on an informal guidance package addressing cybersecurity issues related to employee benefit plans. The DOL has also announced that they expect an increased focus on the adequacy of cybersecurity programs during their investigations, especially for larger plans. Their focus will ensure that plans are screening the providers they are using for good cybersecurity practices.
The Bottom Line
Cybersecurity is everyone’s responsibility – not just the IT department within your organization. Oftentimes, employee benefit plans may be overlooked within the company-level assessment of risk and special consideration is warranted. Due to multiple access points to participant data and plan assets, ensuring that all involved parties are taking these responsibilities seriously is more important than ever to protect each individual and their retirement savings. As cybersecurity continues to gain in attention, we expect regulators to continue to evaluate, inquire and require evidence that these discussions are being conducted and steps are being implemented. Your employees are trusting you to help protect their privacy, security and retirement from cybercriminals.
Candace Jackson, CPA, is a Director in Moore Colson’s Business Assurance Practice. She manages audit and review teams and serves as a Practice Area Leader in the firm’s Employee Benefit Plan Practice.
Jon Powell, CPA, CITP, CISA, is a Partner in Moore Colson’s Risk Advisory & Compliance Services Practice. In addition to assisting with cybersecurity initiatives, Jon leads Sarbanes Oxley initiatives, internal audit co-sourcing partnerships, SOC audits and other compliance engagements.