Archived Insight | April 25, 2019

Incident Response Plans: Be Prepared for a Data Breach

As plan fiduciaries, sponsors are ultimately responsible for data protection. That’s true even when day-to-day cybersecurity is delegated to the third-party administrator (TPA) handling benefits administration.

That’s why it’s important for sponsors of plans with outsourced administration to oversee cybersecurity and create an incident response plan.

Have a question? We have answers.

Send us a message. 

Speak with Us

Key aspects of cybersecurity oversight

Thorough oversight of outsourced cybersecurity includes these steps:

It’s also important for plan sponsors with outsourced administration to have an incident-response plan they can follow in the event of an actual data breach.

What to include in an incident response plan when you've outsourced to a TPA

You'll need an incident response plan even if you've outsourced all of your administration tasks to a TPA. To develop a meaningful incident response plan in this scenario, address all of the following:

Be prepared — and avoid finger-pointing

Monitoring outsourced cybersecurity gives you confidence that your plan data is being adequately protected.

Creating an incident response plan helps ensure you’ll be prepared to respond if plan data is breached. If you’ve outsourced functions to more than one vendor, having an incident response plan will help avoid finger-pointing among vendors in the event of a breach.

Read other insights

Mature Businessman Brainstorming Notes On A Glass Wall In An Office

Q2 2025 Trends Focus: Cognitive Health in the Workplace

Mitigating the impact of dementia on your workforce: Our Q2 2025 Trends has 7 strategies to help plan sponsors address cognitive health.
Coworkers In A Meeting

Multiemployer Pension Plan News for Q1 2025

Multiemployer retirement plan sponsors: Get caught up on 5 important topics in our recap of first quarter news impacting multiemployer pension plans.
Granddaughter Helping Grandparents Working In Vegetable Garden

Social Security Administration Updates Form SSA-1945

Public sector employers and pension plans that don’t participate in Social Security should send the updated Form SSA-1945 to new hires to sign before

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.