Archived Insight | April 25, 2019

Incident Response Plans: Be Prepared for a Data Breach

As plan fiduciaries, sponsors are ultimately responsible for data protection. That’s true even when day-to-day cybersecurity is delegated to the third-party administrator (TPA) handling benefits administration.

That’s why it’s important for sponsors of plans with outsourced administration to oversee cybersecurity and create an incident response plan.

Have a question? We have answers.

Send us a message.

Speak with Us

Key aspects of cybersecurity oversight

Thorough oversight of outsourced cybersecurity includes these steps:

Review contract language — and revise it if necessary. Every contract with a TPA or recordkeeper should have unambiguous language about cybersecurity. The contract should clarify that the vendor is responsible for any data breach incidents that occur on its watch. That responsibility should encompass assuming all of the costs associated with the breach.
Conduct routine audits. The purpose of these audits is to validate that the vendor(s) is performing adequate security functions. Such audits are especially important when a contract states the vendor has that responsibility.
Test responses to cybersecurity incidents. This testing should be routine. One of the most important aspects of how a vendor handles an incident is its response time. An incident that takes a long time to fix could affect the plan’s ability to pay pension checks or other benefits on time.

It’s also important for plan sponsors with outsourced administration to have an incident-response plan they can follow in the event of an actual data breach.

What to include in an incident response plan when you've outsourced to a TPA

You'll need an incident response plan even if you've outsourced all of your administration tasks to a TPA. To develop a meaningful incident response plan in this scenario, address all of the following:

Identify critical business processes and alternative processing methods. Alternatives may be needed if incident resolution is prolonged. Some incidents can take weeks or months to fully remediate.
Maintain a list of contact names and phone numbers for all vendors. Be sure to keep it current as vendor contacts may come and go frequently.
Map how data and other information move among various entities. This is important because an incident at one vendor could infiltrate another vendor. And if the infiltrated vendor is not alerted, the vendor could blame (and may sue) the plan sponsor.
Outline incident response steps. Document resolutions and outcomes.
Create a comprehensive communications plan. Participants, business partners, law enforcement, government agencies and the media will direct questions to the plan sponsor — not to the outsourced vendor. The communications component of the incident response plan is a guide for when and how to release information to stakeholders.
Define roles and responsibilities. This is a crucial part of the incident response plan. It identifies who will do what if data is breached.

Be prepared — and avoid finger-pointing

Monitoring outsourced cybersecurity gives you confidence that your plan data is being adequately protected.

Creating an incident response plan helps ensure you’ll be prepared to respond if plan data is breached. If you’ve outsourced functions to more than one vendor, having an incident response plan will help avoid finger-pointing among vendors in the event of a breach.

Read other insights

Diverse business colleagues have a meeting

Reporting and Disclosure Guide for Benefit Plans 2025

Segal’s comprehensive Reporting and Disclosure Guide for Benefit Plans is the go-to guide for navigating compliance requirements.

Health, Compliance, Retirement, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, Corporate, Pharmaceutical

Read Full Insight

Happy Mature Couple Looking Outside The Window

Multiemployer Pension Plan News for Q4 2024

Multiemployer retirement plan sponsors: Get caught up on 5 hot topics in our recap of fourth quarter news impacting multiemployer pension plans.

Retirement, Investment, Multiemployer Plans

Read Full Insight

Business Team Discussing New Ideas At The Office

Most SECURE 2.0 Plan Design Options Fully Available for 2025

The Treasury and the IRS have issued guidance for recordkeepers to administer the plan design options SECURE 2.0 made available to DC plan sponsors.

Compliance, Retirement, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Corporate, Architecture Engineering & Construction

Read Full Insight

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.