Most organizations have some sort of formal plan in place to protect their electronic data, but many of those security measures neglect to address these companies’ Employee Benefit Plans (EBPs). Protecting the sensitive data inherent in EBPs can be surprisingly easy to overlook. Some business leaders rely too heavily on their anti-virus software; others mistakenly believe that their SOC 1 reports will catch anything remiss; but in many cases, it’s simply because the cybersecurity of EBPs is not formally regulated like other business activities are. When you consider this lack of regulation, it comes as no surprise that EBPs are especially vulnerable to cyber-attacks.
Cyber Threats to EBPs
Employee Benefit Plans are a target for attackers not only because of the personally identifiable information they contain, but because they hold the key to access the plan’s assets. Most threat actors will attempt to steal sensitive information or money from EBPs in the following ways:
- Phishing. Phishing is an e-mail scam that fraudsters use to encourage individuals to reveal personal information – passwords, social security numbers, etc. A threat actor may target an EBP’s participants by sending an e-mail purported to be from the company’s HR manager requesting to verify personal information.
- Ransomware. Ransomware is a form of malicious software that, once installed, takes control of the user’s computer. An attacker can utilize this control to blackmail the company for money, threatening to release the personal data of the EBP’s participants if the company doesn’t acquiesce.
- Malware. Malware is an easy way for threat actors to breach a company’s security defenses. If the attacker can convince an employee to click on a link, perhaps from an e-mail or one of their favorite websites, the link will secretly download software onto the computer that can compromise the EBP’s data.
- Hacking. Good, old-fashioned hacking is a common threat to EBPs, as well. Attackers can hack into a benefit plan’s systems to gain access to users bank accounts or to the plan’s trust account and take money at will.
Each of these threats can result in financial losses to the plan and its participants, of course, but they can also disrupt day-to-day business activities, resulting in a loss of revenue, and can even destroy company reputations.
Fiduciary Duties and Cybersecurity
The onus falls squarely on the plan sponsor to protect the assets of the plan’s participants. While there may be some situations when an employee would be on the hook for a data breach, they are rare. The plan sponsor has a fiduciary duty to care for the plan’s assets, and part of that duty is properly securing those assets. If an employee falls for a phishing scam, for example, the liability will likely remain with the company. In this instance, ERISA guidelines could argue that the company provided inadequate security training, or had insufficient controls in place to prevent suspicious downloads.
Cybersecurity Risk Management Plan
ERISA requires that electronic confidential information be protected, but exact guidelines for doing so are nonexistent. Rather than companies checking off a few standardized “risk avoidance” boxes, the Department of Labor prefers that companies create customized risk management plans to fit their needs, budget, and resources. The first step plan sponsors can take is to assess themselves, and they can do so by asking some of the following questions:
- What data are we protecting, and where is it stored?
- How closely do we control access points into the system?
- How do we communicate potential cybersecurity risks to our plan participants?
- How will we know if there has been a breach?
- Are our providers trustworthy? And what verification process do they need to take to access our plan’s data?
- Do we have a plan in place for responding to a breach?
- Should we purchase cyber insurance, or will a data breach be covered under our existing plan?
When the plan sponsor is able to answer the above questions honestly, they can set out to create their own cybersecurity risk management plan. Even though their plans don’t have to follow any certain guidelines, they should, at minimum, include the following steps:
- Identify the risks.
- Protect the data.
- Detect a threat.
- Respond to a breach.
- Recover the assets.
No matter what the plan looks like, it should be accessible to every level of the organization. Operations, management, stakeholders – they all need to be familiar with this plan and confident in its success.
SOC for Cybersecurity
Plan sponsors may want to consider commissioning a System and Organization Controls (SOC) for Cybersecurity engagement from a CPA that they trust. A SOC for Cybersecurity report reveals just how well a service organization’s cybersecurity risk management plan is working to address the risks of a security breach. It can provide stakeholders and employees the confidence in management’s ability to control those risks, and it can help leaders make informed decisions about future risks.
LaPorte is a member of the Employee Benefit Plan Audit Quality Center, and our CPAs have experience performing EBP audits and SOC 2 engagements to address cybersecurity issues. If you have any questions about how your EBP can improve their cybersecurity risk management programs, please contact us.