These EBPAQC Qs & As help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.
How EBPs are at risk for cyberattacks,
What plan information and assets are at risk,
Potential consequences of a cyber-attack,
Examples of cyber-threats to EBPs,
Fiduciary’s responsibilities for protecting plan information and responding to breaches,
The plan auditor’s responsibility for evaluating cybersecurity risk and controls in a plan audit,
Cybersecurity considerations when plan administration is performed by a third-party provider,
Whether a SOC 1 report addresses a plan’s internal control over cybersecurity controls and risk,
Resources available to help plans address their cybersecurity risks,
Effective practices and policies to protect against cyber-attacks, and
Resources available to help plan management determine the adequacy of the plan’s cybersecurity risk management strategy and program and related communications to plan fiduciaries and third parties.