Return to NASPP Blog
The NASPP Blog

Cybersecurity for Stock Plans

Subscribe to the NASPP Blog

December 12, 2019 | Jennifer Namazi

Cybersecurity for Stock Plans

It takes a lot of data to run a stock plan. In order to properly facilitate and administer stock plan transactions and associated reporting, sensitive information needs to be compiled and stored in a recordkeeping system. Data is maintained at both the employee and award/grant level.
Our survey data (NASPP/Deloitte 2017 Domestic Stock Plan Administration survey) tells us that the majority of companies are leaning on third party providers to perform core stock plan functions (only 14% of respondents said they don’t outsource at least one of the core stock administration functions, which includes recordkeeping). This means that most companies are transferring personally identifying, sensitive information about their employees - such as social security numbers, employee ID numbers and addresses (among other details) to third party providers. With all of this exchange of data, cybersecurity should be a priority for companies in maintaining their stock plans (and other benefits).

How should companies gauge whether there are solid controls in place to mitigate cybersecurity concerns? In a recent blog, Cybersecurity and Stock Plan Administrators (full blog available on, author Mike Melbinger (Partner, Winston & Strawn LLP) identified some areas of concern:

  • Some current contracts with service providers do not contain specific requirements for how the service providers must secure and maintain the privacy of the company’s PII, which may mean that the company has no oversight as to what its service providers are doing with the information. 
  • Other agreements may address the issue of security, not the issue of who would be responsible for the costs and damages of a breach (or worse, place that responsibility on the company).
What’s a Stock Plan Administrator to Do?

How do companies navigate the above concerns with their service providers? Melbinger suggests the following (my abbreviated interpretation):

  • Review and update agreements with third party providers to ensure that both companies have appropriate data privacy and security protections in place.
  • Consider whether to create a standard data privacy and security template for all of the company’s compensation and benefit plan agreements.
  • Evaluate state-specific laws. A number of states now are requiring companies to proactively vet and/or monitor their service providers that handle personal identifying information.
  • Remember that the CEO and CFO are required to certify the adequacy of controls and procedures for identifying cybersecurity risks and incidents. This last one stems from the SEC’s Statement and Guidance on Public Company Cybersecurity Disclosures.
I’m hearing more recent buzz about this topic, so stay tuned for additional information in the coming weeks and months. In the meantime, if you are seeking additional NASPP resources on cybersecurity as relates to stock plans, check out the following on our website:

Article: What Employers Need to Know About Cybersecurity Risk
NASPP Conference Session: Cyber Security and Insider Considerations

About Us

The National Association of Stock Plan Professionals is the largest and oldest professional association for the stock and executive compensation community, with over two decades of leadership providing expert resources, education and other benefits for our more than 6,000 members across 32 affiliated chapters.


P.O. Box 21639 Concord, CA 94521-0639 Telephone: (925) 685-9271 Fax: (925) 930-9284

©NASPP 2019, All Rights Reserved.