Apple Growth Partners

Protect Your Employee Benefit Plans from a Cyber-Attack

By  Susan P. Burnoski, CPA, MAcc and Krista Steedly, MAcc

Cybersecurity is more than a buzzword; it impacts both professional and personal online use. Most people recognize the basic risks of cybersecurity; for example, ensuring an online payment site begins with “https”. However, when you think of “cybersecurity”, do you think of your employee benefit plans? Plan sponsors may believe their Information Technology counterparts or the plan’s service providers “own” cybersecurity, but all plan sponsors need to understand the risks associated and take active steps to ensure participant security. Recently reported by Accenture, security breaches increased by 27.4% in 2017. Take steps now to protect your valuable data.

Susan Burnoski

Plan administrators and those charged with governance have an ERISA fiduciary duty for the management of the plan, including implementing processes and controls to restrict access to a plan’s systems, applications, and data. The Department of Labor (DOL) began issuing technical releases on cybersecurity matters in 2011 and continues to emphasize the plan sponsor’s duty to understand and implement all aspects of cybersecurity.

Employee benefit plans, like all other organizations and individuals, are vulnerable to cyber-attacks and can be exposed to risks relating to privacy, security, and fraud. Retirement plans are attractive targets for hackers seeking access to plan assets and personally identifiable information (PII), including participant and beneficiary identifiers. Likewise, health plans are also under attack for PII as well as personal health information.  Factors that contribute to cyber risk in plans include:

Krista Steedly
  • Plan documents available online: Electronic benefit plan information is especially susceptible to cyber-attacks because it contains large amounts of sensitive employee information that is shared with multiple third parties, including outsourced service organizations that also maintain and electronically share confidential employee and asset information.
  • Hard to identify the owner: Benefit plans often fall outside the scope of a sponsor organization’s cybersecurity planning.
  • Crucial missing regulation: Employee benefit plans are not regulated for cybersecurity purposes, as are certain other businesses that handle personal information, such as online banking.
  • “Anti-virus software will catch it”: Plan sponsors and administrators may have a false sense that anti-virus and anti-spam software adequately protect them from these risks.
  • “Our service provider has a Service Organization Control (SOC) report”: Plan sponsors and administrators assume their service organization SOC 1 reports address cyber risks at the service organization. While these reports mention basic security, only a cybersecurity SOC report adequately discusses the cyber matter.

Employee benefit plans house a variety of electronic information that may be vulnerable to cyber-attacks.)  PII includes social security numbers, date of birth, and email addresses, has significant value to cybercriminals as it’s permanently associated with an individual (unlike a credit card account number, PII cannot be easily “canceled”). Participant enrollment data, individual account balances, direct deposit information, compensation, and other financial information are also at risk. A hacker could also target personal accounts online to gain the ability to request loans and distributions and access participant and/or sponsor contributions.

Plans and service providers have fallen victim to cyber schemes to steal plan contributions, participant data, make fraudulent transfers of participant assets (through direct transfers and fraudulent plan loans), and ransomware attacks.

Failure to require unique passwords for each person who touched the plan is a frequent source of cyber disruption. To protect your employee’s valuable data, recognize the common cyber-attacks and learn how to defend your plan:

  1. Phishing – fraudulent practices to obtain login credentials and passwords to gain access to online accounts
    • Example: An email, claimed to be from the plan sponsor’s top executive, was sent to the human resources (HR) department requesting sensitive employee data. HR responded by sending the information before realizing it was a “spear phishing” or “whaling” email from an outside party.
  2. Malware – Software that is intended to damage computer systems.
    • Example: Creating a fake login page for your company’s retirement or health plan to capture an unsuspecting user’s login and password credentials to access personal records.
  3. Ransomware Attacks – Cyber criminals encrypt and seize an entire hard drive, only releasing it in exchange for a ransom.
    • Example: Hackers take control of the plan sponsor’s system and demand a ransom for the PII and bank accounts at risk.

Action steps plan sponsors should take:

  1. Do not permit employees to share passwords or use the same password.
  2. Implement a training program on cybersecurity for all employees. KnowBe4 is one of the many cost-effective security training programs.
  3. Review the plan’s service provider SOC reports to determine the controls that the plan sponsor must implement to assure the vendor’s systems work as designed.
  4. Review and understand your business insurance policy. Consider a cyber insurance policy.
  5. Review and understand the cyber controls that are in place at the plan’s service providers.
  6. Develop a basic plan of communication and action plan in the event of a breach.

To discuss with our expert audit and assurance team, contact us today.