Cyber threats pose a growing threat to businesses across all industry sectors, as many rely heavily on the internet as a means to communicate, share sensitive information and transact business.
Plan Sponsors collect sensitive information from participants during plan enrollment and all subsequent transactions, including changing deferral and/or investment elections, loan requests and loan distributions. In the event of a cyber-attack or data breach, Plan Administrators may be exposed to privacy, security and even fraud related risks.
The U.S. Department of Labor holds Plan Administrators accountable for protecting all systems, applications and data relating to the Plan. For this reason, cyber security concerns must be carefully assessed by Plan Administrators when evaluating a Plan’s internal controls. Strict procedures and processes must be implemented and maintained to ensure that these systems and applications are not vulnerable. This includes responsibility for third party Administrators (TPAs), if they hold the Plan records or maintain sensitive data or information.
When Plan Administrators address cyber security in the risk-assessment process, the U.S. Department of Labor recommends the following:
It will be necessary to include all third party service providers and their vendors when evaluating the Plan’s controls regarding cyber security. If SOC 1 reports are obtained, it is important to note that they may be limited in scope. Although these reports will addresses Plan controls and risks as they pertain to financial reporting, they may not specifically address these factors as they relate to cyber security.
For the Employee Benefit Plan Audit Quality Center’s full article on the U.S. Department of Labor’s concerns, see EBPAQC Alert No. 365 from the AICPA.
To determine if your 401(k) benefit plan is subject to an audit or for a consultation regarding your current 401(k) plan, contact JoAnn today.