Accountants + Business Advisors

Plan Sponsor Responsibilities for Cybersecurity and Record Retention


Plan Sponsor Responsibilities for Cybersecurity and Record Retention

Krista Clark-websiteBy Krista Steedly | Senior Associate – Audit & Assurance



Whether you are working with a health plan or a qualified plan, the plan sponsor as the fiduciary must pay attention to cybersecurity matters. With multiple data breaches having occurred recently, primarily relating to health plans, fiduciaries need to make certain that service providers have implemented procedures to protect data whether “in-flight” (during data movement) or “at-rest” (during storage).

Look at both your internal policies and your service providers:


  • Is sensitive data stored in an encrypted format?
    • When at-rest, is the data de-identified – temporarily disassociated from the person it concerns?
  • Is file encryption software used when data is transmitted?
  • What are your vendors’ and your internal policies relating to protections for mobile computing platforms?
  • How often do you scrub former employees’ credentials from the vendors’ system and from your system?
  • Do you have guidelines for strong passwords? Do you require that they be changed? Do you forbid sharing of passwords?
  • How often are periodic tests of backup and recovery plans performed?
  • What are the training policies to reinforce data security?
  • Determine responsibility for losses, including the adequacy of cybersecurity insurance coverage.
  • Request, read and understand the SOC 1 report of your service providers.

Remember that the responsibility to implement processes and controls to restrict access to a plan’s systems, applications and data, including third party records and other sensitive information, resides with those charged with plan governance. You, as the plan sponsor, are ultimately responsible.

Record Retention


Under ERISA, all plan-related materials should be kept for a period of at least six years after the date of filing of the Form 5500 report, and the materials should be preserved in a manner and format (electronic or otherwise) that permits ready retrieval. The actual signed plan documents must be retained indefinitely.

The documents that a qualified retirement plan must retain for ERISA purposes include the following:


  • The original signed and dated plan document, and all original signed and dated plan amendments. Make sure the dates and signatures are easily visible;
  • Copies of all corporate/partnership actions and administrative committee actions relating to the plan;
  • Copies of all communications to employees. These include Summary Plan Descriptions, Summaries of Material Modifications, and anything else describing the plan that is provided to participants or beneficiaries. Remember to include copies of videos, slides, and e-mails;
  • All financial reports, including Trustees’ reports, journals, ledgers, certified audits, investment analyses, balance sheets, and income and expense statements;
  • Copies of Form 5500;
  • Payroll records, including hours of service, used to determine eligibility and contributions including details supporting any exclusion from participation. It is critical that sponsors keep complete census data, not just data on those who are eligible;
  • Hours of service and vesting determinations;
  • Plan distribution records, including Form 1099Rs;
  • Corporate income tax returns (to reconcile deductions);
  • Evidence of the plan’s fidelity bond;
  • Documentation supporting the trust’s ownership of the plan’s assets;
  • Copies of all documents relating to plan loans, withdrawals, and distributions. Include copies of spousal consents;
  • Copies of nondiscrimination and coverage test results;
  • Any other plan-related materials, such as claims against the plan.

Please contact your Apple Growth Partners advisor with any questions regarding your plan responsibilities.