Cybersecurity is essential for any business, especially when choosing the retirement plan’s service providers. According to ERISA, plan administrators must act in a manner consistent with the “prudent fiduciary” standard, which requires that a person behave in a manner consistent with that of those who regularly undertake their obligations (peers). A company can take measures to protect data in-house: but what are the essential questions a plan administrator should ask the plan’s external service providers (TPAs)?
In the article, What Fiduciaries Need to Ask Service Providers about Cybersecurity, from Benefits Magazine, Wyatt Holliday and David Fournier discuss these three key points:
- Managing Data
- Protecting Physical Hardware
- Managing People
Using Encryption to Manage Data
A plan administrator should ask the TPA about whether it uses encryption for managing data. However, the plan administrator should also obtain an understanding on how the TPA handles data “at rest” and “in flight.” (Holliday, W & Fournier, D (2015, August). Benefits Magazine, Volume 52, No.8, 18-21.)
“At rest” data is not currently in use, but is in a storage location like a hard drive. When data is requested, or sent to third parties, it is “in flight.” “Hard-disk encryption,” the encryption of a physical drive, does not usually protect “in flight” data. TPAs should have secure sites and encryption software for data sharing with third parties (Holliday, W & Fournier, D (2015, August). Benefits Magazine, Volume 52, No.8, 18-21.)
Protecting Physical Hardware
Physical data security questions are also important:
- Does the TPA have adequate protection from physical hazards like fires?
- What policies and procedures does the TPA have in place regarding authorized personnel access?
- How is printed data disposed?
- How and where are backups of data stored? (Make sure that the backup data is also being encrypted.)
No matter how well designed a control system is, a TPA’s management of its people that operate within the system is crucial:
- What policies and procedures are in place to manage people with access to data at all levels?
- How quickly are terminated employees access rights revoked?
- Does the company review access rights for appropriateness on a regular basis?
- Can employees save data to local devices from the storage database?
In summary, plan administrators need to understand the control environment at their TPAs to meet the “prudent fiduciary” standard.
In 2016, the ERISA Advisory Council released a report on cybersecurity for plans. See the appendix section of the linked report below, starting on page 29, for further information: https://www.dol.gov/sites/default/files/ebsa/about-ebsa/about-us/erisa-advisory-council/2016-cybersecurity-considerations-for-benefit-plans.pdf
ABOUT THE AUTHOR
Robyn is a Senior Manager with BSSF and has more than 23 years of public accounting experience. She assists a wide variety of clients, with a large concentration in the industries of engineering services, retail/wholesale, and construction. Robyn has served on the BSSF Employee Benefit Plan audit committee and has experience performing employee benefit plan audits.