Employee Benefit Plan Cybersecurity Considerations

November 16, 2018 – The threat of cyber-attack and the breach of data are pervasive throughout the entire business world. Given the highly sensitive data contained within an employee benefit plan, these entities are no different. Because of this, the American Institute of Certified Public Accountants (AICPA) has listed cybersecurity among its “hot topics” in its 2018 Employee Benefits Plan Industry Developments audit risk alert. Within that publication, the AICPA asserts that Plan Sponsors “…may have a cybersecurity strategy for their business needs, but not a separate strategy for their employee benefit plans. Cybersecurity concerns for ERISA plans require special consideration because they are unique and differ from the business enterprise’s issues.” The risk alert also indicates that employee benefit plan cybersecurity is specifically deficient in strategies for protecting the data and assets of plans.

In November 2016, the Department of Labor (DOL)’s Advisory Council on Employee Welfare and Pension Benefit Plans released a publication entitled “Cybersecurity Considerations for Benefit Plans” (https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf). The intent of the publication was to give plan sponsors, fiduciaries and service providers some tools to use in developing a proper cybersecurity plan related to employee benefit plans. It built on previous advisory council work, dating back to 2011. In it, the advisory council went into detail on currently effective cybersecurity frameworks. It also spelled out industry trends and reiterated the use of the AICPA’s Service Organization Control (SOC) reports for data at third party service providers. Overall, the lengthy document gave many useful tips and best practices that can be implemented by any employee benefit plan regardless of size.

>> Based on the focus of the AICPA and the DOL, as well as the current business and political landscape, it is clear that cybersecurity is a very real issue for employee benefit plans. It is also clear that administrators and plan sponsors are not doing nearly enough to prevent their plans from cyber-attacks.

 

This article is an excerpt from Dopkins Employee Benefits Newsletter.  To read the complete content, please click here.

 

For more information, please contact John Matte at jmatte@dopkins.com.

About the Author

John F. Matte Jr. CPA

John serves as a leader in the Firm’s employee benefit plan audit practice, and concentrates his practice on audits on behalf of for-profit entities from a wide cross-section of industries. He also has significant experience consulting clients with respect to documentation and testing of internal controls, particularly entities subject to Sarbanes Oxley compliance.