Plan sponsors have a fiduciary responsibility to understand cybersecurity risk in an employee benefit plan (EBP). In order to satisfy this responsibility, plan sponsors must understand how EBPs are exposed to cybersecurity risk and design effective controls to mitigate that risk.
- Every employee benefit plan is at significant risk of a cyber attack.
- The consequences of a breach are significant.
- Plan sponsor fiduciary responsibilities with regard to cybersecurity risk extend beyond that of the financial statement audit. Plan sponsors need to be doing more than what has previously been done for the financial statement audit.
- It is important that the plan sponsor have a formal cybersecurity strategy and program in place.
- Unless expressly engaged to perform additional procedures, the plan auditor plays an important, but limited, role during the financial statement audit. However, plan auditors can be engaged to perform additional services to assist plan sponsors in meeting their fiduciary responsibility with regard to cybersecurity.
Cybersecurity Risks to Employee Benefit Plans
There is no denying it at this point — exposure of plan assets and information to cyber attacks poses significant risks for employee benefit plans.
Most plan information is maintained electronically; therefore, hackers find employee benefit plans wildly attractive. Gaining access to plan assets, participant personal information, beneficiary personal information, direct deposit information, and other personal identification information (PII) is just the tip of the iceberg.
Threat actors generally target the weakest link in order to gain entry. Therefore, employee benefit plans must be prepared. Hackers can work around anti-virus and anti-spam software. Plan sponsors should be on alert that attackers can operate under the guise of legitimate users and ultimately access plan assets, information, and the systems that support the financial reporting process.
Plan sponsors are required to do more than they ever have before. Simply performing a financial statement audit and obtaining Systems and Organizational Controls, or SOC 1, reports does not satisfy the fiduciary responsibility with regard to cybersecurity.
Consequences to Employee Benefit Plans
Fines, fees, litigation, reputation damage, and lost business are just the beginning. Additional consequences include:
- Cyber-attacks can take up to a month to be fully contained.
- Organizations that experience a breach underperform the market by more than 15% just three years later.
- 55% of organizations suffer losses due to compliance failure.
- In one study, business leaders were more concerned about damage to reputation and business viability than hefty compliance fines.
- Theft of PII and breach of online security can result in monetary losses to participants, beneficiaries, the plan, the plan sponsor, and service providers.
- Plan fiduciaries could be found to be responsible for a fiduciary breach.
- Breach of electronic protected health information, or EPHI, could result in potential violations under the Health Insurance Portability and Accountability Act and expose the plan sponsor and service providers to fines and litigation.
Examples of Employee Benefit Plan Cyber Attacks
Unfortunately, cyber-attacks are becoming more and more common. Below are several examples of cyber threats to employee benefit plans:
- Loss or theft. Mobile devices and laptops contain private data for countless participants and beneficiaries. Should these devices be stolen or misplaced, plan sponsors can face hundreds of thousands of dollars in costs between notifying employees, plus credit monitoring and insurance expenses.
- Fraudulent loans. Using an employee’s personal information, a cyber-criminal will establish web profiles that enable them to take an unauthorized loan against a participant account.
- In this case, cyber criminals encrypt a plan participant’s hard drive and release it only in exchange for monetary ransom.
- This type of attack begins with obtaining logins and passwords, then gains access to digital participant information, and proceeds to redirect benefits to another account, request loans or distributions, or submit fraudulent claims.
- Socially engineered malware. In this case, the end-user is duped into running what’s called a “Trojan horse” program, whereby malware is disguised and delivered. The user will be approached by a temporarily compromised website posing as one the user visits frequently.
Responsibilities Facing Plan Sponsors
Plan sponsors are required to protect not only plan assets, but plan data and participant information. As part of their fiduciary responsibility under the Employee Retirement Income Security Act (ERISA), plan sponsors are responsible for implementing processes and controls to restrict access to a plan’s systems, applications and data, including third-party records and other sensitive information. This applies to both physical and electronic systems and information. These processes and controls should include:
- Monitoring procedures. To ensure processes and controls are effective and routinely updated to address new and developing threats, it’s necessary to understand the limitations of the plan’s business insurance coverage and consider cyber insurance to address possible coverage gaps.
- A formal plan to address a breach. The plan sponsor should develop and approve a formal plan before any breach occurs to ensure issues can be remedied in an effective and timely manner. The Department of Labor recommends that the plan establish how the plan sponsor will communicate with plan participants regarding the breach itself and remedies that will be deployed to correct the breach.
Oversight of Third-Party Service Providers
When any portion of plan administration is outsourced to a third-party service provider or administrator (TPA), there are additional cybersecurity considerations that the plan sponsor must consider and address:
- Thorough vetting process. Plan sponsors should thoroughly vet their service providers and negotiate contract provisions to lower or mitigate the costs of correcting a possible cyberattack on a plan. The DOL Advisory Council Cybersecurity Report includes a list of questions that plan sponsors should ask each service provider. These questions help gain an understanding of the policies and procedures in place at the service provider regarding data security, breaches, and how breaches are communicated.
- SOC 2 report. Plan sponsors may be familiar with SOC 1 Reports, as these reports are generally obtained for financial reporting purposes. Although a good start to understanding policies and procedures in place at the service provider, a SOC 1 Report only addresses the TPAs controls over financial reporting and does not address a TPA’s broader cybersecurity controls and risks. A SOC 2 report specifically addresses the cybersecurity controls and risks in the system used by the service organization.
It is important for plan sponsors to understand that the responsibilities discussed above extend beyond the scope of a financial statement audit.
Responsibilities of Plan Auditors
The financial statement auditor plays an important — but limited — role with respect to cybersecurity.
According to CAQ Alert #2014-03: Cybersecurity and the External Audit, auditor responsibilities over cybersecurity in a financial statement audit extend only to the extent they could materially impact financial statements and plan assets.
The guidance goes on to say that cyber incidents typically occur in networks, applications, and systems that are far removed from testing that impacts a financial statement audit.
Therefore, plan fiduciaries must take action that extends well beyond a financial statement audit in order to address cybersecurity considerations — especially when TPAs and other service providers are involved.
DOL Expectations and AICPA Guidance
Plan sponsors will be expected by the DOL to provide evidence that action is being taken to safeguard plan assets, information, and systems. Three steps that plan sponsors can and should take to prepare for a DOL Cybersecurity audit include:
- Formally document the plan’s cybersecurity policies and procedures.
- Engage an auditor to conduct the required third-party audit of security controls.
- Develop a strategic plan to address identified deficiencies.
Although the plan sponsor’s fiduciary responsibilities with regard to cybersecurity go above and beyond their responsibilities related to the financial statement audit, plan sponsors can engage the auditor to assist them with these additional responsibilities. Many plan sponsors partner with their plan’s auditor or another CPA firm to leverage depth and breadth of experience in cybersecurity best practices.
To help plan management develop a description of the plan’s cybersecurity risk management program, the AICPA encourages plan sponsors to engage with their plan auditor or another CPA firm in a consulting capacity. Other consulting services that are encouraged include:
- Training and educational presentations for the board and other interested internal parties
- Performing a “readiness assessment” to help plan management identify where the plan’s cybersecurity processes and controls may need to be shored up
In addition, the AICPA has introduced SOC for Cybersecurity, which enables CPAs to examine and report on a plan’s cybersecurity risk management program. CPA firms can conduct the required SOC 2 third-party audits of security controls. A SOC 2 report provides valuable information to help plan management assess risks associated with both operational and financial risks associated with access to systems and data.
Learn more about partnering with PBMares to employ a multidisciplinary approach that combines proactive cybersecurity strategies with a degree of reactive forensic expertise. We take pride in helping our clients comply with all aspects of the DOL Cybersecurity requirements.