These EBPAQC Qs & As help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.
They address:
How EBPs are at risk for cyberattacks,
What plan information and assets are at risk,
Potential consequences of a cyber-attack,
Examples of cyber-threats to EBPs,
Fiduciary’s responsibilities for protecting plan information and responding to breaches,
The plan auditor’s responsibility for evaluating cybersecurity risk and controls in a plan audit,
Cybersecurity considerations when plan administration is performed by a third-party provider,
Whether a SOC 1 report addresses a plan’s internal control over cybersecurity controls and risk,
Resources available to help plans address their cybersecurity risks,
Effective practices and policies to protect against cyber-attacks, and
Resources available to help plan management determine the adequacy of the plan’s cybersecurity risk management strategy and program and related communications to plan fiduciaries and third parties.