Article
Supervising Vendors is a Top Fiduciary Priority
In today’s digital age, where data breaches and cyber threats loom large, safeguarding employee benefit plan data and assets has become a critical responsibility for the leaders of organizations of all sizes.
Vendor Risks Saturate Employee Benefit Plans
Employee benefit plans, such as retirement plans, health insurance, and other welfare programs, rely on external service providers to handle various aspects of plan administration. Implementing a robust third-party risk management program is essential to protect the interests of plan participants and ensure compliance with relevant regulations.
Selecting and monitoring service providers is a tenet of fiduciary duty under the Employee Retirement Income Security Act (“ERISA”). That duty fosters a critical internal control issue that rises to the highest priority of plan governance.
Professional cyber thieves have focused their attention on the large pools of data and dollars held in retirement plans. Of equal value to them are the personally identifiable information (“PII”) and personal health information (“PHI”) of plan participants.
The U.S. Department of Labor’s enforcement arm, which is the Employee Benefits Security Administration (“EBSA”), is aggressively auditing ERISA plan sponsors to ensure they have a TPRM program that adheres to its April 2021 guidelines. CPAs who conduct annual ERISA plan audits are more demanding than ever about the presence of TPRM-related internal controls in an employer’s governance system.
Setting Up the Controls
Setting up TPRM internal control procedures is essential for organizations to safeguard their employee benefit plans, maintain compliance with laws and regulations and satisfy the plans’ auditors. These procedures help identify and mitigate risks, prevent fraud, and help validate the capabilities of their service providers.
Risk Assessment
Begin by identifying the third parties involved in administering the benefit plans and their subservice contractors.
Service providers like recordkeepers, healthcare providers, payroll companies, and financial planners that serve plan participants commonly engage other vendors to help them serve their clients. These 4th party (and nth party) organizations are often invisible to plan committees and plan participants, yet they can cause significant damage to benefit plans by breaches of their IT systems.
Using data collected on questionnaires tailored for the EBSA’s guidelines, determine the relative value of each criterion, test how well each vendor conforms, and produce a security score for each assessed entity.
The EBSA’s auditors expect employers to assess the safety of their employee benefit plan service providers’ data systems. Yet when asked to respond to benefit plan committees’ questionnaires about IT-related questions, most vendors provide very few relevant details.
Vendor Tracking
In order to get the answers needed to fulfill regulatory requirements, Cyber-ProtectRC uses artificial intelligence (“AI”) to retrieve data in real-time that defines the safety of vendors’ network systems 24/7 and scores the results for easy interpretation. Vendor tracking of that type is essential in whatever process your plan uses to prove conformance to the EBSA’s standards.
Learn more at this webinar:
Third-Party Risk Management for Employee Benefit Plans
TPRM is a Regulatory Imperative
TPRM has emerged as a widely used discipline for the selection and monitoring of vendor performance and fees. Professional supply chain management executives have relied on TPRM for decades to ensure optimal vendor performance and cost-effectiveness.
However, its significance has transcended the realm of supply chain management. It has now become an integral part of the Department of Labor’s (“DOL”) standards of fiduciary care for employers’ management of their retirement plans.
This evolution underscores the critical role TPRM plays in not only optimizing vendor relationships but also in ensuring compliance with regulatory standards and fiduciary responsibilities.
Roland|Criss offers a comprehensive TPRM program that creates of peace of mind for retirement plan committees and human resources leaders.