Have You Addressed Your Cyber Threats?
It seems no one is immune to cyber-attacks these days, including employee benefit plan (EBP) administrators. Plan administrators oversee and execute financial transactions, participant requests and update plan and participant records electronically. This sensitive information includes, but is not limited to, participant names, addresses, salaries, and social security numbers, which are prime targets for hackers. The Department of Labor is concerned that plan administrators may be vulnerable to cyber-attacks.
Who is responsible for cybersecurity?
Plan administrators are responsible for implementing controls to protect plan data, regardless of whether the plan records are maintained internally or by external service providers or vendors. The plan administrator must understand which service providers and sub-service providers are granted access to plan data, and evaluate their cybersecurity risk. Although most plan administrators obtain a SOC 1 or SOC 2 report on controls at third-party service organizations, those reports are not enough. SOC 1 reports only address controls related to financial reporting, and SOC 2 reports address system reliability. Because of the limited scope and focus of SOC 1 and 2 reports, the full range of cybersecurity risks may not be addressed.
What can I do to protect against cyber-attacks?
The National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (the Framework) in 2014 under the direction of President Obama. The Framework provides standards, guidelines, and best practices and is a great resource to follow when evaluating and managing cybersecurity risks.
The AICPA’s Cybersecurity Resource Center provides more information regarding addressing cybersecurity risks and the AICPA’s EBP Audit Quality Center recommends performing the following steps to assess your cybersecurity risk:
- Evaluate your security policies and procedures and those of your sub-service providers and vendors. Consider using the NIST Framework to identify topics that must be addressed by the policies and procedures.
- Perform audits to determine compliance with security policies and procedures and identify vulnerabilities.
- Test incident response and recovery plans.
- Determine who is responsible for losses, and review the adequacy of cybersecurity insurance coverage.
- Implement security training and awareness programs.
Does the Plan’s financial statement audit cover cybersecurity?
The external auditor’s responsibilities typically include understanding information technology systems and controls to assess the risks of material misstatement to the financial statements, primarily focusing on system access and changes and data that could impact the financial statements. This does not include an assessment of the broader spectrum of risks facing the organization’s operational systems and data. However, if an issue is brought to the external auditor’s attention regarding a cybersecurity breach, the auditor will evaluate any potential impact on financial reporting and disclosures. Some organizations engage the external auditor to specifically evaluate cybersecurity and other risks.
Take the first step by ensuring the responsibility for evaluating cybersecurity risk is clearly assigned, and the resources that are available to you are leveraged to assess and manage your cybersecurity risk.