Home » Webinars » Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information

Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information

ERISA vs. State Law Requirements, Preemption, Auditor's Role in Addressing Cybersecurity Controls, Third-Party Agreements

Recording of a 110-minute CPE webinar with Q&A

This program is included with the Strafford CPE Pass. Click for more information.

This program is included with the Strafford CPE+ Pass. Click for more information.

This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Thursday, August 15, 2019

Recorded event now available

or call 1-800-926-7926

Presentation

This course will guide employee benefits administrators and audit advisers on conducting risk assessments of cybersecurity measures for employee benefit plans. The panel will discuss the specific fiduciary duties imposed on sponsors and administrators to protect individual identity and health information, offer practical strategies for ensuring the adequacy of cybersecurity processes, and discuss how auditors can properly document cybersecurity risk assessments in audits of ERISA plans.

Description

Data breach prevention and response is an increasingly pressing issue for many industries, including employee benefit plans. The 2015 data breach of Anthem impacted employers and health plans nationwide, and the DOL has been warning plan administrators to take measures to protect ERISA plan information. However, plan sponsors and fiduciaries face complex and sometimes contradictory regulations that differ based on the type of plan involved.

Unlike the liability for breaches of healthcare plans where the standards and liability are more certain (e.g., HIPAA, HITECH), the standards and liability under ERISA for retirement benefits plans are inconclusive. The ERISA Advisory Council recently provided DOL with limited guidance on cybersecurity risks. However, the guidance fails to address the scope of ERISA fiduciary obligations regarding cybersecurity.

Audit advisers of ERISA plans are responsible for identifying scenarios where a data breach or risk may materially impact a plan's financial statements or plan assets, but are not explicitly required to address cybersecurity in a financial statement audit. Where the plan utilizes third parties for records and transaction documentation, a SOC 2 examination of the service organization involved requires auditors to address the cybersecurity controls and risks present in the third-party provider's systems.

Listen as our expert panel provides guidance to benefits counsel on trends in data breaches of ERISA healthcare and retirement plans. The group will review the recent BCBS/Anthem litigation, discuss the scope of fiduciary obligations to prevent breaches, ERISA preemption of state data breach laws, and contractual risk mitigation with TPAs.

Trends in ERISA data breaches: healthcare and retirement plans
ERISA fiduciary obligations concerning data breaches
1. Health plan requirements vs. ERISA investment plans
2. HIPAA duty to safeguard protected health information under DOL Reg. 2520.104b-1(c)
3. Applying ERISA Section 404 fiduciary duty to act with "care, skill, prudence and diligence" to data protection
4. Fiduciaries' obligation to monitor third-party service providers
ERISA 2016 cybersecurity guidance
State data protection and anti-breach laws and ERISA preemption post-Anthem
Incorporating cybersecurity protections into retirement plan contracts with TPAs
AICPA and CAQ guidance
1. Auditor's limited role in addressing cybersecurity in a financial statement audit
2. Addressing disclosures in financial statements and ICFR
3. Third-party organizations and SOC 2 audits

Benefits

The panel will review these and other key issues:

What specific obligations do plan sponsors and fiduciaries have when responding to an occurrence of a data breach?
How can plan sponsors manage their breach response to safeguard plan data and reduce the risk of legal and regulatory action?
What are the lessons from the Anthem litigation and recent breaches of retirement plan employee information?
How can cybersecurity protections be incorporated into retirement plan contracts with TPAs?

Faculty

Amy M. Gordon
Partner
Winston & Strawn

Ms. Gordon regularly advises clients on their self-funded and insured health plans, wellness programs, and on-site... | Read More

Allison Itami
Principal
Groom Law

Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as... | Read More

Jesse St.Cyr
Partner
Poyner Spruill

Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving... | Read More

Access Anytime, Anywhere

CPE credit is not available on downloads.

Download

Presentation

or call 1-800-926-7926

Excellent seminar! It was efficient and the important topics were covered at just the right pace; no time was wasted covering information that the participants already knew.

Rhonda G. Williams, CPA
Barraclough & Associates

The conference was technical, informative and presented at a good pace.

Krystal Ching
KMH

I liked the fact that there was more than one person presenting the material. It's nice to hear multiple perspectives.

Matt Bristow
Cover & Rossiter

Strafford's live courses offer you a high quality and convenient Continuing Legal Education and Continuing Professional Education option. We have been serving the legal and accounting community for over 30 years.

1,000+ webinars per year
8,200+ webinars completed
6,300+ on-demand webinars
190,000+ satisfied customers
10,500+ expert practitioners