A NON-TECHNICAL REVIEW OF QUALIFIED RETIREMENT PLAN LEGISLATIVE AND ADMINISTRATIVE ISSUES
• Ask about the service provider ’ s information security standards , practices , and policies , as well as audit results , and compare them to the industry standards adopted by other financial institutions .
• Ask the service provider how it validates its practices , and what levels of security standards it has met and implemented . Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard .
• Evaluate the service provider ’ s track record in the industry , including public information regarding information security incidents , other litigation , and legal proceedings related to vendors ’ services .
• Ask whether the service provider has experienced past security breaches , what happened , and how the service provider responded .
• Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches ( including breaches caused by internal threats , such as misconduct by the service provider ’ s own employees or contractors , and breaches caused by external threats , such as a third-party hijacking a plan participant ’ s account ).
• When you contract with a service provider , make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider ’ s responsibility for IT security breaches . Also , try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants .
Cybersecurity Program Best Practices : Includes best practices designed to assist plan fiduciaries and recordkeepers in managing cybersecurity risks .
• Have a formal , well documented cybersecurity program .
• Conduct prudent annual risk assessments .
• Have a reliable annual third-party audit of security controls .
• Have clearly defined and assigned information security roles and responsibilities .
• Have strong access control procedures .
• Ensure that assets or data stored in the cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments .
Upcoming Compliance Deadlines for Calendar-Year Plans
15th May 2021
Quarterly Benefit Statement – Deadline for participantdirected plans to supply participants with the quarterly benefit / disclosure statement including a statement of plan fees and expenses charged to individual plan accounts during the first quarter of this year . Note that May 15th falls on a weekend in 2021 . No clear guidance allows extending the deadline to the next business day .
30th June 2021
EACA ADP / ACP Corrections – Deadline for processing corrective distributions for failed ADP / ACP tests to avoid a 10 % excise tax on the employer for plans that have elected to participate in an Eligible Automatic Enrollment Arrangement ( EACA ).
29th July 2021
Summary of Material Modifications ( SMM ) – An SMM is due to participants no later than 210 days after the end of the plan year in which a plan amendment was adopted .
2nd August 2021
Due date for calendar year end plans to file Form 5500 and Form 8955-SSA ( without extension ).
Due date for calendar year end plans to file Form 5558 to request an automatic extension of time to file Form 5500 .
14th
Quarterly Benefit Statement – Deadline for participant-directed defined contribution plans to provide participants with the quarterly benefit / disclosure statement and statement of plan fees and expenses that were charged to individual plan accounts during the second quarter of 2021 . Note that August 14th falls on a weekend in 2021 . No clear guidance allows extending the deadline to the next business day .
BENEFIT INSIGHTS SPRING 2021