Reading time: 2 minutes
Cyber threats and data breaches increased the U.S. Department of Labor’s concern over safeguarding employee personal information, which resulted in the Employee Benefits Security Administration (EBSA) developing and releasing guidance for plan sponsors and fiduciaries to consider and apply when evaluating service providers. In 2021, the number of reported data breaches increased by 17%, costing U.S. companies an average of $4M. Engaging service providers with formal cybersecurity practices and procedures ensure the security of personally identifiable information (PII), such as social security numbers. To help clients, prospects, and others, JLK Rosenberger has provided a summary of the key practices released by the EBSA.
Essential Cybersecurity Considerations
- Information Security Standards – It is essential to understand the security standards under which the service provider adheres to and operates. Those who follow a recognized standard for information security will use an outside auditor to validate compliance. As such, do not only ask to see the policies and procedures followed but also the most recent Service Organization Control (SOC) audit report. Look to see that the report verifies information security, system/data availability, processing integrity, and data confidentiality.
- Practice Validation – Determine how the provider validates its practices and what level of security standards are met and implemented. Finding out how validation is accomplished is essential because it reflects the effectiveness of established practices. Pay special attention to any programs or provisions which give the plan the right to review audit results demonstrating compliance.
- Insurance Policies – It is also important to find out whether the provider has any cybersecurity insurance policies that cover losses caused by data breaches. Pay close attention to ensure the coverage includes both breaches caused by internal threats (employee misconduct) and external threats (cybercriminals). If the provider does not have insurance or lacks adequate insurance, this is a red flag that should be considered.
- Historical Performance – Spend time researching the provider’s track record, including any public information available about past information security incidents, including litigation and other legal proceedings. Concurrently, inquire about whether there have been past security breaches, what happened, how it was addressed, and the timeline for each remediation event. The combination of these two sources of information will help determine the provider’s trustworthiness.
- Contract Review – When the decision to hire a provider is made, it is necessary to carefully review the service contract to ensure plan interests are properly protected. Specific attention should be given to ensure there is a requirement for ongoing compliance with security standards. Also, be aware of any provisions which limit the provider’s responsibility for data breaches. It is ideal to include provisions requiring an annual SOC audit, an outline of data confidentiality rules, breach notification timeline, requirements for compliance with information security laws and mandates specific insurance coverages (cyber liability, blanket crime coverage).
We’re here to help
The fiduciary responsibility of a 401(k) plan sponsor requires careful attention to the cybersecurity practices of any retained third-party provider. As the complexity of cyber-attacks increases, plan sponsors need to ensure participant data is adequately protected. If you have questions about the information outlined above or need assistance with your 401(k) plan audit, JLK Rosenberger can help. For additional information, call us at 818-334-8631, or click here to contact us. We look forward to speaking with you soon.