Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information
ERISA vs. State Law Requirements, Preemption, Auditor's Role in Addressing Cybersecurity Controls, Third-Party Agreements
Recording of a 110-minute CPE webinar with Q&A
This course will guide employee benefits administrators and audit advisers on conducting risk assessments of cybersecurity measures for employee benefit plans. The panel will discuss the specific fiduciary duties imposed on sponsors and administrators to protect individual identity and health information, offer practical strategies for ensuring the adequacy of cybersecurity processes, and discuss how auditors can properly document cybersecurity risk assessments in audits of ERISA plans.
Outline
- Trends in ERISA data breaches: healthcare and retirement plans
- ERISA fiduciary obligations concerning data breaches
- Health plan requirements vs. ERISA investment plans
- HIPAA duty to safeguard protected health information under DOL Reg. 2520.104b-1(c)
- Applying ERISA Section 404 fiduciary duty to act with "care, skill, prudence and diligence" to data protection
- Fiduciaries' obligation to monitor third-party service providers
- ERISA 2016 cybersecurity guidance
- State data protection and anti-breach laws and ERISA preemption post-Anthem
- Incorporating cybersecurity protections into retirement plan contracts with TPAs
- AICPA and CAQ guidance
- Auditor's limited role in addressing cybersecurity in a financial statement audit
- Addressing disclosures in financial statements and ICFR
- Third-party organizations and SOC 2 audits
Benefits
The panel will review these and other key issues:
- What specific obligations do plan sponsors and fiduciaries have when responding to an occurrence of a data breach?
- How can plan sponsors manage their breach response to safeguard plan data and reduce the risk of legal and regulatory action?
- What are the lessons from the Anthem litigation and recent breaches of retirement plan employee information?
- How can cybersecurity protections be incorporated into retirement plan contracts with TPAs?
Faculty

Amy M. Gordon
Partner
Winston & Strawn
Ms. Gordon regularly advises clients on their self-funded and insured health plans, wellness programs, and on-site... | Read More
Ms. Gordon regularly advises clients on their self-funded and insured health plans, wellness programs, and on-site clinics. She also handles fiduciary issues, including prohibited transactions and other ERISA Title I matters. She assists clients in designing and maintaining compliant flexible benefit, life, medical, dental, pharmacy, employee assistance programs (EAP), educational assistance, disability, supplemental health, severance, health savings accounts, health reimbursement accounts, and other types of welfare plans. She also provides guidance on retiree benefit plans.
Close
Allison Itami
Principal
Groom Law
Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as... | Read More
Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as ERISA and the Internal Revenue Code, and the ways in which state laws affect benefit plans.
Close
Jesse St.Cyr
Partner
Poyner Spruill
Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving... | Read More
Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving mergers and acquisitions, qualified and non-qualified deferred compensation, equity compensation, welfare benefits, fringe benefits, and executive employment and severance agreements.
Close