Compete for Cannabis Employees with a Top-Notch Retirement Plan

Date May 6, 2022
Categories
Article Authors
Gabrielle Herdman

Article updated April 2024.

With each industry comes a wide array of disputed topics, many of which are shared throughout multiple industries. One of those shared disputes is the question of employee attraction and retention. Specifically, how can an employer within a specific industry attract and retain talent? As markets and businesses mature, attracting and retaining talent is becoming more and more competitive. There are numerous valuable incentives that Companies can offer to compete at the top of attracting and retaining talent. One of those incentives that can be beneficial to offer is a retirement plan. When a prospective employee is weighing options at different companies in their consideration, typically, pay, health benefits, and foundation are included in their choice. Often, those qualities are similar across multiple employers, and that is why a top-notch retirement plan could make the difference between accepting and rejecting your job offer. While a retirement plan can help solve the problem of attracting and retaining employees within an industry, it can be difficult for a typical industry to develop the perfect plan. One specific industry, however, faces unique challenges from banking to regulatory and tax laws, and developing the right retirement plan can be another difficult addition that a Company may face. That not-so-typical industry is known as the cannabis industry and this industry will most benefit from cannabis-specific professionals to help them navigate through these challenges.

HBK Cannabis Solutions was among the first CPA firms to specialize in accounting services for the cannabis industry and we have worked beside entrepreneurs in all industry segments—cultivators, processors, and retailers—from small businesses with a single facility to multi-location and vertically integrated operations. We can assess your current accounting system, advise, and install accounting that complies with GAAP and IRS rules. In addition, HBK is a member of the American Institute of Certified Public Accountants (AICPA) Employee Benefit Plan Audit Quality Center. Our professional staff serving employee benefit engagements uses this affiliation to keep abreast of the latest developments in accounting for employee benefit plans, communicating with AICPA staff and other members on technical benefit issues, and continuing education and technical research in the field. HBK CPAs & Consultants can help you determine whether you need an audit, help prepare you for an audit in the future, and conduct the audit.

HBK has summarized some tips to help your Company get started and remain guided along the way:

  • Consult with your financial institution: A financial institution representative will be able to establish a meeting with potential third-party administrators, advisors, and investment managers who are familiar with the cannabis space.

  • Structure: Your Company should be as transparent as possible with third parties when discussing the structure of your business. Advisors may back out due to your Company’s relationship with cannabis and that issue is best addressed at the forefront of the process. For example, if there is an entity structure in place where plant-touching employees are employed by a different company that does cannabis accounting and provides the retirement plan, it is best to share that information with all parties.

  • Honesty: Businesses in the cannabis space are known to face challenges. The challenges that are specific to most cannabis companies and clients in your Company should be communicated with the professionals you are working with. It is important to be honest and upfront with cannabis clients as early in the process as possible.

  • Advising: An advisor is a good choice of a professional to develop a relationship with, because advisors may understand many of the challenges faced by a cannabis business. Advisors are not just likely to understand these challenges, but they can aid cannabis businesses in solving them. One way to find out if an advisor is familiar with the cannabis industry is to ask trusted advisors for their past experiences with cannabis Companies and request to review a copy of their most recent SOC1 report.

  • ERISA: Retirement plans are beneficial for companies and employees if operated efficiently. The cannabis industry, medical or recreational, is scrutinized enough by federal law; you don’t want compliance issues with the Department of Labor or the Internal Revenue Service over a retirement plan. It will be an important step to consult with an ERISA attorney to keep these issues out of your Company.

  • Budget: Developing and maintaining a proper retirement plan does not come free of cost. It is important that your Company knows the potential cost of establishing and maintaining said plan. Your Company’s plan should make financial sense as there are many questions that factor into the cost of the plan. For example, will the employer or the plan be responsible for paying administrative expenses?

  • Legal obligations: The focus of an employee benefit plan is that it is a long-term commitment to provide a financially secure retirement to participating employees. While outsourcing certain administrative functions of the plan is an option, you are ultimately responsible for plan oversight. It is crucial that your Company understands all of the legal obligations that are attached to the plan.

After a Company has implemented a retirement plan, the work may not be done. It is wise to consult with your individual CPA or CPA firm, as a substantial number of employee benefit plans are going to be subject to an employee benefit plan audit.

The first step in determining if your retirement plan needs an audit is to determine if your Company’s plan is classified as a “small plan” or a “large plan”. As of 2023, this determination is measured by the number of participants with account balances at the beginning of the plan year. Small plans generally have under 100 participants at the beginning of the plan year, while large plans have more than 100 participants. However, there is one exception to this determination which is called the “80-120 Participant Rule”. Exactly as it sounds, if the number of participants is between 80-120 and a Form 5500 was filed in the prior plan year, then your Company may elect to complete the return as it was filed in the prior year, whether that was small or large.

The main difference between the “small” and “large” plan is the type of form that is required to be filed. A small plan requires a Schedule I, which will not trigger an employee benefit plan audit. On the contrary, a large plan requires a Schedule H, which will. In the case that your Company is required by state laws to have an employee benefit plan audit, it is wise to acquire consulting services of a strong CPA firm to assist you with this process.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Employee Benefits Security Administrations Cybersecurity Guidance Part 2: Cybersecurity Best Practices

Date April 11, 2022
Article Authors
HBK CPAs & Consultants

Part two of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants is provided under three forms:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online


Cybersecurity program best practices

In part one of our series on the Department of Labor’s Employee Benefits Security Administration’s (EBSA’s) recently issued cybersecurity guidance, we focused on the “tips for hiring a service provider” and advocated for the implementation of a third-party risk management program to facilitate those efforts. Those tips encompass one aspect of a third-party risk management program. While adopting a complete third-party risk management program was not specifically addressed in the DOL guidance, the need becomes evident after exploring the EBSA’s second “form” of guidance, “cybersecurity program best practices,” which were designed to help plan fiduciaries and record-keepers meet their responsibilities to manage cybersecurity risks.

ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration has prepared the following best practices for use by record keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries looking to make prudent decisions on the service provider they are considering for hire. According to the DOL guidance, plans’ service providers should:

  1. Have a formal, well-documented cybersecurity program.

  2. Conduct prudent annual risk assessments.

  3. Have a reliable annual third-party audit of security controls.

  4. Clearly define and assign information security roles and responsibilities.

  5. Have strong access control procedures.

  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.

  7. Conduct periodic cybersecurity awareness training.

  8. Implement and manage a secure system development life cycle (SDLC) program.

  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.

  10. Encrypt sensitive data, stored and in transit.

  11. Implement strong technical controls in accordance with best security practices.

  12. Appropriately respond to any past cybersecurity incidents.


The specific details of each of the 12 Best Practices can be found here.

While the details on nos. 2 through 12 offer more specifics, we recommend you focus on the first best practice, that is, establishing a formal, well-documented cybersecurity program, as a formal, well-documented cybersecurity program will include nos. 2 through 12. The only additional step will be actually implementing your formalized program.

Bringing the entirety of the EBSA guidance full circle, we recommend the following steps:

  • Develop a cyber program: Leveraging established standards can assist you in developing your program. We recommend exploring ISO 27001 or the NIST Cybersecurity Framework. Each has its own advantages, and, if nothing else, offers guidance for establishing a program.
  • Implement the program: Establishing the policies and procedures required for developing a cyber program is one project. Implementing the policies and procedures is another. This may take some time depending on your current security maturity.
  • Test the effectiveness of your program: Undergo a third-party audit as mentioned in item no. 3 of EBSA’s best practices. Audit–both internal and external—is a key component of an effective, enduring cybersecurity program.
  • Communicate the program to stakeholders: As pointed out in the first “form” of guidance issued by EBSA, your stakeholders will want to know the details of your security initiatives, including the controls you have in place and their effectiveness.

Often, the last two steps can be achieved in one engagement. SOC reporting offers assurance through an audit in which a CPA opines the effectiveness of controls. This reporting mechanism communicates the design and effectiveness of your security program. We strongly recommend that you use a reputable audit firm with security and SOC experience.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Click here to read part one.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Employee Benefits Security Administrations Cybersecurity Guidance Part I: Hiring a Service Provider

Date April 1, 2022
Article Authors
HBK CPAs & Consultants

Part one of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Nearly a year ago, in April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of 1974 (ERISA). The guidance includes best practices for maintaining cybersecurity and tips for protecting workers’ benefits for plan sponsors, plan fiduciaries, record keepers, and plan participants.

As noted in the release, the guidance is provided under three forms:

  • Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA
  • Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks
  • Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.

Tips for hiring a service provider

Business owners often rely on other service providers to maintain plan records and keep participant data confidential and plan accounts secure. And, if the myriad of data breaches and security incidents have taught us anything, it is that we are only as strong as our weakest link. Therefore, to satisfy ERISA guidance and secure confidential data, it is critical that plan sponsors use service providers with stringent cybersecurity practices. The DOL recommends the following:

  • Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Ideally the service provider follows a recognized standard for information security and uses an outside (third-party) auditor to review and validate their cybersecurity practices.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards—and be wary of contract provisions that limit the service provider’s responsibility for IT security breaches..

The first and last of the six tips are particularly noteworthy.

  • The first tip notes: “Ideally the service provider follows a recognized standard for information security and uses an outside (third-party) auditor to review and validate their cybersecurity practices.” This is the most critical tip. A credible service provider should be able to provide a single report issued by an independent auditor (most commonly a “SOC” report) that encompasses the other five tips. The report should include information on the service providers’ data security standards, practices, and policies, and the related audit results. It should disclose recent security incidents, breaches, and whether or not the service provider uses insurance as one of its risk mitigation mechanisms (hopefully they aren’t relying strictly on insurance to mitigate these risks).”
  • According to tip six: “When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards …” This tip ensures your service provider will continue to adhere to cybersecurity compliance and best practices, and continue to undergo independent audits of these requirements. As such, your service provider should be incentivized, if not required, to be vigilant of evolving cybersecurity threats and changes in best practices. In our engagements, HBK Risk Advisory Services regularly stresses the importance of third-party risk management as specified by this point of DOL guidance.

While the DOL guidance provides tips for hiring a service provider, your responsibility for managing vendor risk doesn’t stop there. It remains your responsibility to regularly assess and evaluate that service provider. Technology and cyber threats are constantly evolving, and so should your business’s and your service providers’ practices. Assessing a firm at engagement doesn’t satisfy the need to continually improve and adapt to the evolving cybersecurity landscape.

We recommend that to meet the needs of this guidance you establish a third-party risk management program. The program will set policies and procedures for managing third-party providers from pre-hire evaluation, contracting, and on-boarding, throughout their tenure as a service provider, and upon termination.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.