Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information

Data breach prevention and response is an increasingly pressing issue for many industries, including employee benefit plans. The 2015 data breach of Anthem impacted employers and health plans nationwide, and the DOL has been warning plan administrators to take measures to protect ERISA plan information. However, plan sponsors and fiduciaries face complex and sometimes contradictory regulations that differ based on the type of plan involved.

Unlike the liability for breaches of healthcare plans where the standards and liability are more certain (e.g., HIPAA, HITECH), the standards and liability under ERISA for retirement benefits plans are inconclusive. The ERISA Advisory Council recently provided DOL with limited guidance on cybersecurity risks. However, the guidance fails to address the scope of ERISA fiduciary obligations regarding cybersecurity.

Audit advisers of ERISA plans are responsible for identifying scenarios where a data breach or risk may materially impact a plan's financial statements or plan assets, but are not explicitly required to address cybersecurity in a financial statement audit. Where the plan utilizes third parties for records and transaction documentation, a SOC 2 examination of the service organization involved requires auditors to address the cybersecurity controls and risks present in the third-party provider's systems.

Listen as our expert panel provides guidance to benefits counsel on trends in data breaches of ERISA healthcare and retirement plans. The group will review the recent BCBS/Anthem litigation, discuss the scope of fiduciary obligations to prevent breaches, ERISA preemption of state data breach laws, and contractual risk mitigation with TPAs.

1. Trends in ERISA data breaches: healthcare and retirement plans
2. ERISA fiduciary obligations concerning data breaches
   1. Health plan requirements vs. ERISA investment plans
   2. HIPAA duty to safeguard protected health information under DOL Reg. 2520.104b-1(c)
   3. Applying ERISA Section 404 fiduciary duty to act with "care, skill, prudence and diligence" to data protection
   4. Fiduciaries' obligation to monitor third-party service providers
3. ERISA 2016 cybersecurity guidance
4. State data protection and anti-breach laws and ERISA preemption post-Anthem
5. Incorporating cybersecurity protections into retirement plan contracts with TPAs
6. AICPA and CAQ guidance
   1. Auditor's limited role in addressing cybersecurity in a financial statement audit
   2. Addressing disclosures in financial statements and ICFR
   3. Third-party organizations and SOC 2 audits

The panel will review these and other key issues:

• What specific obligations do plan sponsors and fiduciaries have when responding to an occurrence of a data breach?
• How can plan sponsors manage their breach response to safeguard plan data and reduce the risk of legal and regulatory action?
• What are the lessons from the Anthem litigation and recent breaches of retirement plan employee information?
• How can cybersecurity protections be incorporated into retirement plan contracts with TPAs?

Learning Objectives

After completing this course, you will be able to:

• Identify the "gray areas" in determining the extent to which a plan sponsor or administrator has a fiduciary duty to protect ERISA plans against a data breach
• Discern between health plan and ERISA plan standards for determining fiduciaries' liability for data breach and other cyber attacks
• List the standards found in the 2016 ERISA guidance for cybersecurity protective processes
• Recognize auditor's obligations and role in assessing cybersecurity controls in the context of both financial statement audits of ERISA plans and SOC 2 reports of TPAs

• Field of Study: Auditing
• Level of Knowledge: Intermediate
• Advance Preparation: None
• Teaching Method: Seminar/Lecture
• Delivery Method: Group-Internet (via computer)
• Attendance Monitoring Method: Attendance is monitored electronically via a participant's PIN and through a series of attendance verification prompts displayed throughout the program
• Prerequisite: Three years+ business or public firm experience at mid-level within the organization, auditing employee benefit plans or supervising others conducting employee benefit plan audits. Specific knowledge of peer review preparation and reviewers concerns, document procedures, defined contribution plans and defined benefit plans, and general AICPA peer review standards; familiarity with SOC reports, documentation of internal controls, and common noncompliance issues.

Strafford Publications, Inc. is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of Accountancy have final authority on the acceptance of individual courses for CPE Credits. Complaints regarding registered sponsons may be submitted to NASBA through its website: www.nasbaregistry.org.