717.761.7171

Cybersecurity for Your Retirement Plan: Asking the Right Questions

Cybersecurity for Your Retirement Plan: Asking the Right Questions

Cybersecurity is essential for any business, especially when choosing the retirement plan’s service providers. According to ERISA, plan administrators must act in a manner consistent with the “prudent fiduciary” standard, which requires that a person behave in a manner consistent with that of those who regularly undertake their obligations (peers). A company can take measures to protect data in-house: but what are the essential questions a plan administrator should ask the plan’s external service providers (TPAs)?

In the article, What Fiduciaries Need to Ask Service Providers about Cybersecurity, from Benefits Magazine, Wyatt Holliday and David Fournier discuss these three key points:

  • Managing Data
  • Protecting Physical Hardware
  • Managing People

Using Encryption to Manage Data

A plan administrator should ask the TPA about whether it uses encryption for managing data. However, the plan administrator should also obtain an understanding on how the TPA handles data “at rest” and “in flight.” (Holliday, W & Fournier, D (2015, August). Benefits Magazine, Volume 52, No.8, 18-21.)

“At rest” data is not currently in use, but is in a storage location like a hard drive. When data is requested, or sent to third parties, it is “in flight.” “Hard-disk encryption,” the encryption of a physical drive, does not usually protect “in flight” data. TPAs should have secure sites and encryption software for data sharing with third parties (Holliday, W & Fournier, D (2015, August). Benefits Magazine, Volume 52, No.8, 18-21.)

Protecting Physical Hardware

Physical data security questions are also important:

  • Does the TPA have adequate protection from physical hazards like fires?
  • What policies and procedures does the TPA have in place regarding authorized personnel access?
  • How is printed data disposed?
  • How and where are backups of data stored? (Make sure that the backup data is also being encrypted.)

Managing People

No matter how well designed a control system is, a TPA’s management of its people that operate within the system is crucial:

  • What policies and procedures are in place to manage people with access to data at all levels?
  • How quickly are terminated employees access rights revoked?
  • Does the company review access rights for appropriateness on a regular basis?
  • Can employees save data to local devices from the storage database?

In summary, plan administrators need to understand the control environment at their TPAs to meet the “prudent fiduciary” standard.

In 2016, the ERISA Advisory Council released a report on cybersecurity for plans. See the appendix section of the linked report below, starting on page 29, for further information: https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf

If you have any questions, please contact Scott Esworthy or Robyn Dougherty today!

Posted In: Employee Benefit Plan Audits | Insights

About the Author - Scott Esworthy, CPA

Scott is an Audit Principal and Shareholder with Brown Plus, specializing in the audits of property and casualty (P&C) insurance companies and employee benefit plans (EBP). Additionally, Scott is a member of the Firm’s 401(k), Strategic Planning and Transition Committees.

Scott co-manages one of the largest national property and casualty insurance audit practices as ranked by Aon Ward. Scott has performed audits for over 25 years. Within the Brown Plus Insurance Practice, Scott has a sizable practice involving self-insured insurance groups. Scott is highly knowledgeable in statutory and GAAP insurance financial reporting. He is a regular speaker at the Pennsylvania Association of Mutual Insurance Companies (PAMIC) Financial Management Seminar and regularly attends PAMIC, Insurance Accounting and Systems Association (IASA) and National Association of Insurance Commissioners (NAIC) conferences, conventions and meetings.

Disclaimer: Information provided by Brown Plus as part of this blog post is intended for reference and information only. As the information is designed solely to provide guidance and is not intended to be a substitute for someone seeking personalized professional advice based on specific factual situations, responding to such inquiries does NOT create a professional relationship between Brown Plus and the reader and should not be interpreted as such. Although Brown Plus has made every reasonable effort to ensure that the information provided is accurate, Brown Plus makes no warranties, expressed or implied, on the information provided. The reader accepts the information as is and assumes all responsibility for the use of such information.