Mitigating cybersecurity risks in health benefit plans is crucial — inadequate cybersecurity could have devasting consequences to the health benefit plan’s sponsor, administrator, and plan participants.
CPAs can improve trust in cybersecurity.
Organizations that provide employee health benefit plans must know the effectiveness of an organization’s entity-wide cybersecurity efforts, including how their third-party vendors manage cybersecurity.
When CPAs assess the effectiveness of a service organization’s controls, similar to how CPAs audit financial statements, the value of that information increases for analysts, investors, regulators, bankers, and other decision makers.
Read the full testimony of Mimi Blanco-Best, AICPA Associate Director, Attestation Methodology and Guidance, before the U.S. Department of Labor ERISA Advisory Council in July 2022 to learn more about:
Cybersecurity risks health benefit plans face
The plan auditor’s responsibility for evaluating cybersecurity risk and controls in an audit of a plan’s financial statements
Cybersecurity services CPAs can provide — beyond the basic financial statements — that support plan management’s assessment of the effectiveness of a service organization’s controls
Overview of the AICPA’s system and organization control (SOC) suite of services and related reporting frameworks, with a focus on how SOC 2 reports and SOC for Cybersecurity reports can provide plan management with information about a service organization’s (or other organization’s) cybersecurity efforts