Cybersecurity issues for plan sponsors


Authored by RSM US LLP

The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers.

Tim Hauser, deputy assistant secretary for the department’s Employee Benefit Security Administration, has indicated that we should expect enhanced investigations from the department of various cybersecurity programs in order to confirm that plan sponsors are hiring service providers who facilitate effective cybersecurity practices.

Hauser also indicated that the forthcoming guidance would be informal, rather than a formal notice and comment.

Plan sponsor considerations

The department expects certain questions regarding the hiring of a Third Party Administrator (TPA) or record keeper (RK), including:

  • What practices and policies do the service providers have to ensure their systems are secure?
  • Does the service provider undergo regular third-party audits by an independent entity?
  • How does the third party validate its systems cybersecurity?
  • Is there any history of cybersecurity incidents? If so, what is the TPA’s and RK’s track record?
  • What did the TPA and RK learn from any prior incidents, and how have they improved their defensive processes?
  • Do they indemnify their clients in the event of security system breaches that result in losses?
  • Do they have insurance policies to make a victimized business whole and cover breaches, or do they have all sorts of waivers and exculpatory clauses in their contracts?

In the event a security breach is identified and an offender has achieved access to confidential information, the plan sponsor should produce a documented response, which includes notifying law enforcement, the FBI, the plan and its participants.

Once an official final guidance package is made available, we will share that information with you.