Cybersecurity Concerns For Employee Benefit Plans
Due to the increased use of electronic means to process financial transactions and store confidential information, cyber security has become a major area of concern for all organizations. Cyber threats have become more sophisticated and have moved beyond a technology issue to a business risk that requires a comprehensive mitigation approach. More than ever before, companies need a clear understanding of the major threats, risks, costs and other negative factors associated with cybersecurity.
Concerns of Department of Labor
The Department of Labor (DOL) has expressed concerns that Employee Benefit Plan (EBP) administrators may be vulnerable to cyber-attacks and thus exposed to risks related to privacy, security, and fraud. Since most of the EBP administrators and their third party administrators (TPA) conduct EBP transactions electronically, they are exposed to higher cybersecurity related risks. Ian Dingwall, Chief Accountant for DOL’s Employee Benefit Security Administration (EBSA), recently raised a concern on how funds and EBP administrators are protecting participants’ personal information. In light of all the potential cybersecurity related threats, today more than ever before, the DOL encourages EBP administrators to seriously evaluate the cybersecurity governance in-house as well as with service providers and vendors. They continue to emphasize this matter to remind EBP administrators that ensuring security of EBP data related to their employees sensitive information is part of their fiduciary responsibility.
Getting Others Involved
Many organizations often misunderstand the financial consequences of a cyber-attack. In addition to direct financial losses, there are other costs to consider, including expenses associated with remediation. Considering the gravity of this issue, it is important to directly involve the company’s board of directors and executive team in dealing with the matter of cyber security.
The board of directors and company executives set the tone for enhancing security and should oversee the development of policies and procedures for implementing cybersecurity over EBP operations. An organization’s internal audit team can also play a role in mitigating cybersecurity related issues by providing independent assessments of existing controls, suggesting new controls as needed, and assisting the board of directors with understanding and addressing the risks.
Trends in EBP Cybersecurity
The DOL maintains that overall responsibility to ensure security over employees’ confidential information and EBP transactions related data resides with the EBP administrators; therefore it is very important that they take all the necessary steps needed for ensuring cybersecurity. As auditors we see a growing trend, especially in our larger clients, of cybersecurity becoming more important and companies starting to take necessary steps to defend against any potential cyber-attacks.
We have observed in several companies that often EBP administrators believe that with anti-virus and anti-spam software installed and by involving TPAs to handle EBP related transactions, enough has been done to tackle cybersecurity related concerns. However, considering all the potential threats involved, relying solely on this does not ensure that EBP sensitive data is protected against potential cyber-attacks.
The DOL recommends the following for EBP administrators:
• Review written information security policies, including those regarding encryption
• Conduct periodic audits to detect threats
• Perform periodic testing of backup and recovery plans
• Determine responsibility for losses, including adequacy of cybersecurity insurance coverage
• Establish training policies to reinforce data security
As auditors, we recommend reviewing the Service Organization Controls (SOC) 1 reports of TPAs to ensure data security related controls are addressed. Additionally, those charged with plan governance need to develop a customized strategy to guarantee the above necessary steps are followed to prevent cyber-attacks within their organization.
As a Senior Manager on our ERISA Assurance and Compliance Services Team, Sharjeel has more than a decade of experience in accounting and financial audits for a variety of industries and employee benefit plans. He has planned and supervised numerous audits of defined contribution (401(a), 403(b), 401(k)) plans (including plans requiring Form 11-K filings), defined benefit (traditional pension and cash balance) plans, health and welfare plans, and master trust investment accounts.
Sharjeel is responsible for overall project performance, including all aspects of managing the fieldwork, supervision of the audit team, and audit report review/compliance. He has extensive knowledge of accounting and technical reporting standards and has assisted clients with their annual audit and reporting requirements for their benefit plans as well as Form 5500 filings. Sharjeel leads the Firm’s Form 5500 preparation practice and has assisted several clients with the DOL & IRS voluntary correction programs.