Cybersecurity issues for plan sponsors
INSIGHT ARTICLE |
Authored by RSM US LLP
The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers.
Tim Hauser, deputy assistant secretary for the department's Employee Benefit Security Administration, has indicated that we should expect enhanced investigations from the department of various cybersecurity programs in order to confirm that plan sponsors are hiring service providers who facilitate effective cybersecurity practices.
Hauser also indicated that the forthcoming guidance would be informal, rather than a formal notice and comment.
Plan sponsor considerations
The department expects certain questions regarding the hiring of a Third Party Administrator (TPA) or record keeper (RK), including:
- What practices and policies do the service providers have to ensure their systems are secure?
- Does the service provider undergo regular third-party audits by an independent entity?
- How does the third party validate its systems cybersecurity?
- Is there any history of cybersecurity incidents? If so, what is the TPA's and RK's track record?
- What did the TPA and RK learn from any prior incidents, and how have they improved their defensive processes?
- Do they indemnify their clients in the event of security system breaches that result in losses?
- Do they have insurance policies to make a victimized business whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?
In the event a security breach is identified and an offender has achieved access to confidential information, the plan sponsor should produce a documented response, which includes notifying law enforcement, the FBI, the plan and its participants.
Once an official final guidance package is made available, we will share that information with you.
This article was written by RSM US LLP and originally appeared on 2021-02-15.
2020 RSM US LLP. All rights reserved.
The information contained herein is general in nature and based on authorities that are subject to change. RSM US LLP guarantees neither the accuracy nor completeness of any information and is not responsible for any errors or omissions, or for results obtained by others as a result of reliance upon such information. RSM US LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect information contained herein. This publication does not, and is not intended to, provide legal, tax or accounting advice, and readers should consult their tax advisors concerning the application of tax laws to their particular situations. This analysis is not tax advice and is not intended or written to be used, and cannot be used, for purposes of avoiding tax penalties that may be imposed on any taxpayer.