Employee Benefit Plan data is an attractive target for cybercriminals
Today’s businesses learn more about cybersecurity every day, but it’s still a challenge to stay ahead of those who could hack their systems for fun or profit. With stories of cyber breaches reported in almost every news cycle, executives have come to appreciate the importance of protecting customer data from outside attacks. But customers aren’t the only people who share private data with businesses.
Employees submit sensitive personal information to their employers and the benefit plan managers that employers choose. The data shared can range from the same type of financial information that businesses get from customers to much more sensitive health and personal information than most companies would ever request from clients or customers. Cybersecurity efforts generally offer some benefit to every type of information a business needs to guard, but employee benefit plan (EBP) data deserves some extra attention.
EBP data is a prime target for cyber-attacks because:
- It’s almost entirely electronic,
- It’s typically maintained on multiple systems (e.g. the employer’s, the third party administrator’s, the payroll provider’s), and
- Updates are transmitted regularly among the parties.
Protecting Sensitive Employee Benefit Plan Data From a Cybersecurity Attack
Hackers can approach from a variety of directions. They can phish in the employer’s environment, attack firewalls at a plan administrator, or intercept transmissions of data passing between the parties. It’s not hard to figure out when your paydays are, or when you transmit W-2s to your employees.
With so many potential vulnerabilities, what steps can employers take to protect sensitive employee benefit plan data? Here are five strategies your organization can deploy:
- Internal Cybersecurity Strategy – Prepare a Cybersecurity Risk Management Plan
The first step every employer needs to take to protect EBP data is to account for it in a . Everybody lives in fear of hearing that their customers’ credit card info has been stolen and posted to the web, so they focus efforts on protecting customer transactions. Employers need to treat EBP data with the same sense of urgency and make sure that internal cybersecurity plans address specific needs in this area.
- Point out that phishing scams can target benefit information just as easily as they target customer databases.
- Coordinate with benefit providers to train employees on how they initiate contacts. If your 401(k) provider says, “We never initiate a contact via e-mail,” your people need to be suspicious if they get an unexpected e-mail from them.
- Cybersecurity penetration tests need to include EBP systems.
- External Cybersecurity Strategy – Have an Expert Prepare a System and Organization Control Report (SOC Report)
EBP service providers typically place a high premium on cybersecurity. They understand how attractive their systems are to hackers and how much their reputation depends on protecting client data. But how can you evaluate the effectiveness of a provider’s data security precautions?
These external service providers can hire CPAs to prepare “System and Organization Control” (SOC) reports that communicate relevant information about the effectiveness of their cybersecurity risk management programs. Employers who outsource employee benefit functions can review these reports to learn more about how a provider protects the sensitive information it receives.
- Transmissions - Evaluate the Security of Your Communication Channels
Don’t overlook the fact that employee benefit plan data needs to get from your protected environment to your provider’s protected environment without being hijacked along the way. Be sure to evaluate the security of your communication channels and consider options for encryption and securing shared servers.
In the event two providers share data directly (such as a payroll service transmitting data to a 401(k) provider), take time to verify that their handoffs meet your requirements.
- Mitigation of Cybersecurity Damages – Basic Alerts
As much as businesses plan to manage cybersecurity risks, no system is invincible. For this reason, your EBP cybersecurity plan must provide for the mitigation of damages in the event of a breach. You should have some basic alerts drafted to notify affected individuals as quickly as possible, and you should consider providing benefits like credit monitoring so that employees can protect themselves before their data is used fraudulently.
- Connect with Freed Maxick Cybersecurity Experts
In a competitive employment market, businesses need to take every step possible to make themselves attractive to potential employees and to avoid the kind of damage that an EBP breach can cause to a reputation.
If you’re wondering whether your cybersecurity risk management plan adequately covers your EBP needs, Freed Maxick can help. We have the experience to evaluate all facets of your EBP security and to help you remediate any issues that may exist.
For more information, please contact us here or call 716.847.2651.
More Insights and Guidance on Cybersecurity Issues - Click here.View full article
12 Questions to Ask Your Current or Prospective Auditor to Ensure You're Exercising Proper Due Diligence
Plan fiduciaries for Employee Benefit Plans are held to the highest legal standard and are required to act solely in the interest of the plan and its participants. Plan fiduciaries can be held personally liable if their fiduciary duties are breached. Most fiduciaries are aware of their duties surrounding the selection of investment options, acting in the plan's best interest, and assessing the reasonableness of plan fees. However, most plan fiduciaries may not be aware that exercising the proper due diligence when selecting a plan auditor is also considered an important fiduciary responsibility.
In May of 2015, the DOL released a report titled “Assessing the Quality of Employee Benefit Plan Audits” that found there was nearly a 40% deficiency rate in their review of employee benefit plan audits. The report makes a number of recommendations, including increasing DOL outreach and enforcement related to audit quality.
Further, in November 2015, plan sponsors who either have or were close to having 100 or more participants in their employee benefit plans received a notice from the DOL emphasizing that the selection of a plan auditor is a fiduciary function and that deficient audits can cause plans to fall out of legal compliance and result in significant civil penalties being imposed on the plan administrator. The DOL intends to target 5500’s filed by plan sponsors whose auditor firms perform fewer than 100 audits per year.
What Should Plan Sponsors and Plan Fiduciaries Do?
What can Plan Sponsors do to ensure that they exercise the proper due diligence when selecting or retaining a plan auditor? In the November 2015 notice sent to plan sponsors, the DOL provided a list of questions to ask your current or prospective auditor:
- How many employee benefit plans does the CPA audit each year, and what plan types?
- What annual training has the CPA received in auditing plans? Be specific.
- What is the status of the CPA’s license with the applicable state board of accountancy?
- Has the CPA been the subject of any prior DOL findings or referrals, or has it been referred to the state board of accountancy or American Institute of CPAs for investigation?
- Has the CPA’s employee benefit plan audit work recently been reviewed by another CPA (this is called a ‘Peer Review’), and if so, did such review result in negative findings?
You can also follow DOL’s guidance in its “Selecting an Auditor for Your Employee Benefit Plan” booklet by asking your auditor specific questions about whether certain tests were performed during your last audit. The DOL specifically suggests you ask them to confirm the following:
- Whether plan assets have been fairly valued?
- Whether plan obligations are properly stated and described?
- Whether contributions are transmitted in a timely manner?
- Whether benefit payments are being made in accordance with the plan’s documents and terms?
- Whether participant balances/benefits, as applicable, are correctly stated?
- Whether there are any potential disqualification issues?
- Whether “prohibited transactions” have been identified?
Fiduciaries should consider documenting the questions asked along with their responses in their meeting minutes to provide adequate documentation that the governing body took the appropriate steps to both select and monitor the activities of their plan auditors.
Your CPA should act as a trusted advisor and be able to guide you through the appropriate steps and documentation to ensure you have fulfilled your fiduciary responsibilities.View full article
Education on Fiduciary Responsibilities are Key to Avoiding Civil and Tax Penalties
Offering a retirement plan can be one of the most challenging, yet rewarding decisions an employer can make. All those involved, including employees, beneficiaries, and the employer benefit from having a plan in place. However, employers and plan fiduciaries have specific responsibilities they should be aware of in administering a plan and managing its assets. These responsibilities help employers and fiduciaries stay within the laws and regulations of the plan.
What is a Prohibited Transaction?
A prohibited transaction is a transaction between a plan and a disqualified person that is prohibited by law. Disqualified person(s) are those who, by virtue of their relationship to the plan, may be in the position to self deal. Disqualified person(s) cover a range of people including fiduciaries, employers, unions (and officials), employee organizations, and persons providing services to the plan such as lawyers and accountants. Prohibited transactions are exactly that, a prohibited transaction of a plan.
A plan fiduciary shall not cause the plan to engage in a transaction that generally includes the following:
- A fiduciary’s act by which they deal with the plan income or assets in their own interest;
- Sale, exchange, or leasing of any property between a plan and a disqualified person;
- Lending of money or other extension of credit between a plan and a disqualified person;
- Furnishing of goods, services, or facilities between a plan and a disqualified person;
- Transfer to, use by, or for the benefit of a disqualified person, of any assets of the plan;
- Acquisition or holding, on behalf of the plan, of any employer security or employer real property that would be in violation of the plan; and
- The receipt of any consideration for the personal account of a fiduciary from any party dealing with the plan.
Most Common Prohibited Transactions
The most common prohibited transaction is the failure of plans to timely deposit employee deferrals and loan repayments to the plan. The timely deposit of employee deferrals has been a highly publicized issue for the Department of Labor (DOL). The DOL’s audit procedure is to review the Plan sponsor’s pattern for depositing deferrals. If, for example, a sponsor is able to deposit deferrals within three business days after the pay date, but deposits one pay date’s deferrals ten business days after the pay date that payroll is deemed to be a prohibited transaction. The DOL reasons that the sponsor has shown an ability to deposit the money within a shorter time frame, therefore the funds for that one pay date were not deposited “as soon as reasonably segregable.”
When this occurs, the DOL deems the Plan sponsor to have taken a loan from the Plan. This loan is prohibited under ERISA’s party-in-interest rules and has ramifications, which are different from other compliance errors. Prohibited transactions are required to be disclosed in a supplemental schedule to the Plan’s audited financial statements.
As such, the Plan sponsor is required to file Form 5330 and pay an excise tax on the amount of earnings lost by the Plan due to the loan. Finally, the Plan sponsor must ensure that the employee deferrals are remitted to the Plan, along with the earnings lost by the Plan due to the loan.
Multi-employer plans may meet the same fate as employee deferrals regarding timeliness of contributions. Multi-employer plan fiduciaries are required to collect all contributions owed to a plan by participating employers. These plans need to establish and implement collection procedures which are reasonable, diligent and systematic or they may be found to be engaging in a prohibited transaction for failing to collect delinquent contributions. In order to comply with the law, a plan must have a written delinquency collection policy which addresses the timing of contributions and the steps to be taken when the contributions are not received by the plan.
A second form of prohibited transaction involves 12b-1 fees. There’s a reason why self-dealing transactions have been verboten in all forms of trust. It’s because the action is too often misaligned with the best interests of the beneficiary. In the case of 401(k) plans that use 12b-1 fees and revenue sharing (the primary source of legal 401(k) self-dealing) underperform by 3.6 percent versus funds that don’t involve self-dealing. 12b-1 fees are ongoing fees paid out of fund assets.
When may 12b-1 fees be used? Often times they are used to pay commissions to brokers and other salespersons, to pay for advertising and costs of promoting the fund to investors, and to pay various service providers of a 401(k) plan pursuant to a bundled services arrangement. That this is not currently defined by the DOL as a breach of one’s fiduciary duty does not mean the liability has been removed from the plan sponsor. A great example is International Paper (who settled for $30 million) and Cigna (who settled for $35 million). Both were accused of paying “excessive fees” for investing in funds that offer 12b-1 fees and revenue sharing.
The third most common prohibited transaction involves entering into a lease with a related party or party-in-interest. It is common in the Multi-employer plan arena to share space with the union, another plan, or an employer. As there are union members and employers representatives that make up the board of trustees, this transaction is considered “self-dealing”. However, there are certain exemptions and steps that can be taken to ensure this transaction is not considered a prohibited transaction.
There should be a formal written lease agreement and the parties involved need to ensure that the compensation for the lease is reasonable. Lastly, any trustee with possible conflicts should recues themselves during the decision to enter into the lease agreement.
Fall Out from Prohibited Transactions in both the Civil and Tax Arenas
Prohibited transactions may also trigger monetary penalties. Qualified pension plans engaged in prohibited transactions with a disqualified person are subject to the IRC section 4975 excise tax. A disqualified person who is in violation of IRS section 4975 must correct the transaction and pay the excise tax based on the amount involved in the transaction. The initial tax on a prohibited transaction is 15% of the amount involved for each year, in the taxable period.
If the transaction is not corrected within the taxable period, an additional tax of 100% of the amount involved is imposed. Both taxes are payable by any disqualified person who participated in the transaction (other than a fiduciary acting only as such). If more than one person takes part in the transaction, each person can be jointly and severally liable for the entire tax.
Prohibited transactions will require the inclusion of certain ERISA supplemental schedules in a plan’s financial statements, but are correctible through the DOL’s Voluntary Fiduciary Correction Program (VFCP). There are various forms that will need to be filed with the DOL, which include Part III of Schedule G, Form 5500, Schedule H line 4a-Delinquent participant contributions, Form 5500 and Form 5330.
What You Can do to Correct or Avoid Future Prohibited Transactions
Freed Maxick wants to make sure you fully understand the importance of avoiding prohibited transactions. As part of future audits or engagements, it might be wise to have your service provider(s) review your plans to ensure a prohibited transaction hasn’t taken place.
Carefully look at prohibited transactions that cause implications related to management integrity, cause and effect of a breach of fiduciary duties, and inclusion of ERISA supplemental schedules in financial statements.
Be diligent before entering into a transaction and be consistent when you file. Educate yourself ahead of time on what the fiduciary responsibilities are; this will help you avoid prohibited transactions in the future.
Freed Maxick CPAs can help you identify possible prohibited transactions, aid in the preparation of additional schedules and governmental reporting forms that may be required, and help implement controls and policies to avoid future incident. If you have any questions or concerns about a prohibited transaction or would like to know more information about our audit and tax services for employee benefit plans, call us at 716.847.2651