Interested in training for your team? Click here to learn more

Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information

ERISA vs. State Law Requirements, Preemption, Auditor's Role in Addressing Cybersecurity Controls, Third-Party Agreements

Recording of a 110-minute CPE webinar with Q&A

This program is included with the Strafford CPE Pass. Click for more information.
This program is included with the Strafford CPE+ Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Thursday, August 15, 2019

Recorded event now available

or call 1-800-926-7926

This course will guide employee benefits administrators and audit advisers on conducting risk assessments of cybersecurity measures for employee benefit plans. The panel will discuss the specific fiduciary duties imposed on sponsors and administrators to protect individual identity and health information, offer practical strategies for ensuring the adequacy of cybersecurity processes, and discuss how auditors can properly document cybersecurity risk assessments in audits of ERISA plans.


Data breach prevention and response is an increasingly pressing issue for many industries, including employee benefit plans. The 2015 data breach of Anthem impacted employers and health plans nationwide, and the DOL has been warning plan administrators to take measures to protect ERISA plan information. However, plan sponsors and fiduciaries face complex and sometimes contradictory regulations that differ based on the type of plan involved.

Unlike the liability for breaches of healthcare plans where the standards and liability are more certain (e.g., HIPAA, HITECH), the standards and liability under ERISA for retirement benefits plans are inconclusive. The ERISA Advisory Council recently provided DOL with limited guidance on cybersecurity risks. However, the guidance fails to address the scope of ERISA fiduciary obligations regarding cybersecurity.

Audit advisers of ERISA plans are responsible for identifying scenarios where a data breach or risk may materially impact a plan's financial statements or plan assets, but are not explicitly required to address cybersecurity in a financial statement audit. Where the plan utilizes third parties for records and transaction documentation, a SOC 2 examination of the service organization involved requires auditors to address the cybersecurity controls and risks present in the third-party provider's systems.

Listen as our expert panel provides guidance to benefits counsel on trends in data breaches of ERISA healthcare and retirement plans. The group will review the recent BCBS/Anthem litigation, discuss the scope of fiduciary obligations to prevent breaches, ERISA preemption of state data breach laws, and contractual risk mitigation with TPAs.



  1. Trends in ERISA data breaches: healthcare and retirement plans
  2. ERISA fiduciary obligations concerning data breaches
    1. Health plan requirements vs. ERISA investment plans
    2. HIPAA duty to safeguard protected health information under DOL Reg. 2520.104b-1(c)
    3. Applying ERISA Section 404 fiduciary duty to act with "care, skill, prudence and diligence" to data protection
    4. Fiduciaries' obligation to monitor third-party service providers
  3. ERISA 2016 cybersecurity guidance
  4. State data protection and anti-breach laws and ERISA preemption post-Anthem
  5. Incorporating cybersecurity protections into retirement plan contracts with TPAs
  6. AICPA and CAQ guidance
    1. Auditor's limited role in addressing cybersecurity in a financial statement audit
    2. Addressing disclosures in financial statements and ICFR
    3. Third-party organizations and SOC 2 audits


The panel will review these and other key issues:

  • What specific obligations do plan sponsors and fiduciaries have when responding to an occurrence of a data breach?
  • How can plan sponsors manage their breach response to safeguard plan data and reduce the risk of legal and regulatory action?
  • What are the lessons from the Anthem litigation and recent breaches of retirement plan employee information?
  • How can cybersecurity protections be incorporated into retirement plan contracts with TPAs?


Gordon, Amy
Amy M. Gordon

Winston & Strawn

Ms. Gordon focuses her practice on welfare benefits including the Health Insurance Portability and Accountability Act...  |  Read More

Itami, Allison
Allison Itami

Groom Law

Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as...  |  Read More

St.Cyr, Jesse
Jesse St.Cyr

Poyner Spruill

Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving...  |  Read More

Access Anytime, Anywhere

CPE credit is not available on downloads.