Cybersecurity controls & considerations for the Plan Sponsor – from the plan auditor perspective

In April 2021, the DOL published their cybersecurity guidance for plan sponsors US Department of Labor announces new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, plan participants | U.S. Department of Labor (dol.gov).

June 2021 update: The DOL just announced they will start requesting information and document requests in their upcoming exams as part of their cybersecurity initiative DOL Begins Its Cybersecurity Audit Initiative – And It’s a Doozy – ML BeneBits | Morgan Lewis.

Plan Sponsors should now have on their priority list for 2021 the development of cybersecurity policies and procedures for both the company and the plan. Here are a few key items Plan Sponsors should consider including as they develop and/or update their company cybersecurity policy - from the plan auditor perspective...

A recent article on the NAPA website DOL Stepping Up Cybersecurity Focus | National Association of Plan Advisors (napa-net.org) informed us that the Department of Labor is going to increase its focus on Plan Sponsor cybersecurity policies and procedures in upcoming exams. 

Document the review of SOC-2 reports 

Most Plan Sponsors are familiar with SOC-1, Type 2 reports. However, a SOC-2 report may be unfamiliar to a Plan Sponsor. SOC-2 reports are specifically targeted to document and test information and IT security controls at a service provider. A SOC-2 report may focus on a combination of IT controls related to security, confidentiality, information privacy, processing integrity and availability. 

Plan Sponsors who want to develop a solid cybersecurity policy should include a requirement to annually obtain SOC-2 reports from their key service providers to the Plan. This policy should include a requirement for the Plan Sponsor to document their review of the SOC-2 report, including management’s assessment of any deficiencies noted in the SOC-2 report and the potential impact on the Plan. The review of the SOC-2 report should be reports to the Plan Oversight Committee and documented in the meeting minutes.

Document the review of SOC-1, Type 2 reports

A cybersecurity policy should also include a requirement to obtain and review the SOC-1, Type II reports for the Plan’s service providers. A SOC-1, Type 2 report is broader in scope compared to a SOC-2 report. The SOC-1, Type 2 report documents and tests all controls specific to a service activity (payroll processing, retirement plan transactions, etc) at a service provider. A SOC-1, Type 2 report will commonly include a section on IT controls tested at the service provider, however the IT control testing in a SOC-2 report is typically much broader in scope and detailed when compare to a SOC-1, Type 2 report. However, similar to a SOC-2 report previously discussed, Plan Sponsors should include a requirement in their cybersecurity policy to document the review of SOC-1, Type 2 reports, including management’s assessment of any deficiencies noted in the SOC-2 report and the potential impact on the Plan. See my article on tips for reviewing a SOC-1 report What is a SOC-1 report? And why is it important to your Plan? From the auditor perspective | LinkedIn

IT security training and education for employees

Employees of the Plan Sponsor are on the front-line for defending against cyber threats. It is very common for a cybercriminal to gain access to sensitive company data via an employee clicking on a link in an e-mail, which then provides the cybercriminal with access to the company’s IT network.

Plan Sponsors need to ensure their employees have received appropriate training to be skeptical of unexpected e-mails asking for information. Employees also need to be trained to not click on links in e-mails until the link can be verified as safe.

A cybersecurity policy should include requirements for periodic cybersecurity training sessions for all employees of the Plan Sponsor. My company uses an on-line training course by KnowBe4 https://www.knowbe4.com. The content in these trainings are constantly updated to educate employees about new threats and new schemes that cybercriminals are attempting to use to trick unsuspecting employees.

A robust cybersecurity policy should also include requirements for the Plan Sponsor’s IT department to periodically send out fake phishing or other e-mails to test employees ability to identify potentially threatening e-mails, and then provide re-training to employees as needed.

Understanding cybersecurity policies and trainings at key service providers

A robust cybersecurity policy should include requirements for the Plan Sponsor to evaluate and document the IT policies and controls at key service providers to the Plan Sponsor. If a key service provider is not able to provide a Plan Sponsor with a robust cybersecurity policy, the Plan Sponsor should evaluate if there are IT risks involved with doing business with the service provider.

A Plan Sponsor needs to understand and document how a service provider ensures the protection of the Plan Sponsor’s employees’ sensitive personal data, as well as how employees at the service provider are provided with regular cybersecurity trainings.

Another key item a Plan Sponsor’s cybersecurity policy should include is a requirement to understand and document how key service providers and vendors will respond to an IT breach at their company, as well as how the vendors and service providers will inform you, the Plan Sponsor of the IT breach. 

Plan Sponsors need to obtain and evaluate the cybersecurity incident response plan for a key service provider, ask about changes since the last policy was obtained, and if the service provider has tested the incident response plan. If a service provider does not have a cybersecurity incident response plan, the Plan Sponsor should evaluate their relationship with this service provider.

Plan Sponsor cybersecurity incident response plan

Similar to a key service provider, a Plan Sponsor’s cybersecurity policy needs to include a cybersecurity incident response plan. It is not a matter of if, but when a company will incur a cyber breach. A cyber breach incident response Plan needs to clearly document who to contact and what steps to take when a company is attacked with a cyber breach. Here are several site with sample cyber breach incident response plans to get you started:

Red Canary: Cyber Incident Response Guide | Remediation Steps | Red Canary

Secutity Metrics: How to Create and Implement a Successful Incident Response Plan (securitymetrics.com)

FR Secure: Incident Response Plan Template | FRSecure

Key controls over distributions from the plan

Where is the biggest risk of loss to a plan? Fraudulent distribution requests. Plan assets being incorrectly distributed based on fraudulent requests is a commonly published retirement plan loss. Plan Sponsors need to ensure their company’s cybersecurity policy includes policies and procedures over distribution requests from the retirement plan, to include the following:

-         What are the process and controls at the Plan Sponsor, custodian, third party administrator, and any other organizations involved in the distribution process?

-         Have the controls and processes at the above entities been designed to validate and ensure distribution requests are from valid participants?

-         Are there periodic trainings for employees involved in the distribution cycle, to ensure employees understand the need to follow approved policies and procedures related to distributions from the retirement plan?

Ask employees to periodically review their 401k account for unexpected activity

Employee know their own 401k accounts better than anyone. A Plan Sponsor should remind the company’s employees to periodically review their 401k account activity, to ensure there is no questionable or unauthorized activity.

These recommended components of a Plan Sponsor’s cybersecurity policy are not meant to be all-encompassing. Each Plan Sponsor should evaluate their own IT control environment to determine the best cybersecurity policy.