Cybersecurity Risk Assessment and Employee Benefit Plans: Fiduciaries' Duty to Protect Plan Information
ERISA vs. State Law Requirements, Preemption, Auditor's Role in Addressing Cybersecurity Controls, Third-Party Agreements
Recording of a 110-minute CPE webinar with Q&A
This course will guide employee benefits administrators and audit advisers on conducting risk assessments of cybersecurity measures for employee benefit plans. The panel will discuss the specific fiduciary duties imposed on sponsors and administrators to protect individual identity and health information, offer practical strategies for ensuring the adequacy of cybersecurity processes, and discuss how auditors can properly document cybersecurity risk assessments in audits of ERISA plans.
Outline
- Trends in ERISA data breaches: healthcare and retirement plans
- ERISA fiduciary obligations concerning data breaches
- Health plan requirements vs. ERISA investment plans
- HIPAA duty to safeguard protected health information under DOL Reg. 2520.104b-1(c)
- Applying ERISA Section 404 fiduciary duty to act with "care, skill, prudence and diligence" to data protection
- Fiduciaries' obligation to monitor third-party service providers
- ERISA 2016 cybersecurity guidance
- State data protection and anti-breach laws and ERISA preemption post-Anthem
- Incorporating cybersecurity protections into retirement plan contracts with TPAs
- AICPA and CAQ guidance
- Auditor's limited role in addressing cybersecurity in a financial statement audit
- Addressing disclosures in financial statements and ICFR
- Third-party organizations and SOC 2 audits
Benefits
The panel will review these and other key issues:
- What specific obligations do plan sponsors and fiduciaries have when responding to an occurrence of a data breach?
- How can plan sponsors manage their breach response to safeguard plan data and reduce the risk of legal and regulatory action?
- What are the lessons from the Anthem litigation and recent breaches of retirement plan employee information?
- How can cybersecurity protections be incorporated into retirement plan contracts with TPAs?
Faculty
Amy M. Gordon
Partner
Winston & Strawn
Ms. Gordon focuses her practice on welfare benefits including the Health Insurance Portability and Accountability Act... | Read More
Ms. Gordon focuses her practice on welfare benefits including the Health Insurance Portability and Accountability Act (HIPAA) privacy components, the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, the Internal Revenue Code, the Affordable Care Act (ACA) and its replacement legislation, and related federal and state laws and regulations. She is a fellow of the American College of Employee Benefits Counsel. Ms. Gordon regularly advises clients on their self-funded and insured health plans, wellness programs, and on-site clinics. She also works with service providers to structure these products for their plan customers.
Close
Allison Itami
Principal
Groom Law
Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as... | Read More
Ms. Itami advises employers and service providers on employee benefit programs, with a focus in federal laws such as ERISA and the Internal Revenue Code, and the ways in which state laws affect benefit plans.
Close
Jesse St.Cyr
Partner
Poyner Spruill
Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving... | Read More
Mr. St.Cyr has experience working with a diverse range of benefits and compensation matters including those involving mergers and acquisitions, qualified and non-qualified deferred compensation, equity compensation, welfare benefits, fringe benefits, and executive employment and severance agreements.
Close