Cybersecurity has become a priority concern for every type and size of business, not to mention government entities, and not only here in the US. Hardly a day goes by that we don’t hear of another major data breach, be it a hack attack, a ransomware demand, or some other form of malware designed to extract confidential corporate or personal data.
Some of these attacks are “merely” illegal schemes to steal money directly. Others are designed for identify theft, the data from which can be used for any number of nefarious purposes.
Should employers and their (plan service providers) be concerned about the vulnerability of employee retirement plans? Certainly.
Last year alone, over one-third of US federal agencies reported a data breach. Globally, the top industries hit with ransomware attacks are:
- Business and professional services (28%)
- Government (19%)
- Healthcare and retail (15% each)
The hits just keep coming, and retirement plans are no exception
In June 2016, hackers hit the Chicago Deferred Compensation Plan. They obtained personal data from 58 different participant accounts, using the information to obtain $2.6 million in fraudulent loans. Participant funds were replaced by the administrator.
The next month, the United Food and Commercial Workers Union Local 655 Employer Joint Pension Plan was attacked with a ransomware demand. Having taken the fundamental precautionary step of ensuring data backups, the union was able to ignore the ransom demand and recreate data locked by the hackers.
Cybersecurity breaches are expensive, in multiple ways
Employers are already familiar with detailed protections required for healthcare plans and their associated data. But other types of benefit plans are equally vulnerable. Retirement plans are not any “safer” than any other data. And they are, in fact, an inviting target because there is so much personal data associated with each account. The individual’s name, Social Security number, date of birth, and address are all there, plus there is valuable financial information including compensation.
Should a breach occur, companies must work to detect how that happened and the full extent of the breach. They have to recover the data and restore internal system integrity. That’s a big job, and it can be costly. Productivity suffers because of the breach, and it can continue to suffer while investigative work is underway. But all this is just the beginning.
In some cases, a breach could result in a federal enforcement action of some type. In many states, employers and retirement plan service providers are required to notify affected parties if there is a breach, and there are laws that allow civil action if there is an unauthorized release of protected personal information.
And then there is the ill will generated among employees – and public distrust – once word of a data breach gets out. Brand damage can be even more costly than dollar losses. Who wants to work for (or shop with) a company that cannot reliably protect your most personal information?
It’s time for employers to enact protections
Department of Labor regulations do note risks of storing and communicating plan data electronically, and they require plan sponsors to protect confidential data. Developing specific cybersecurity policies and plans can help companies protect themselves and their employees from dangerous data breaches. The longer employers wait to establish comprehensive protections, the greater the risks.
So what can you do?
Create a retirement plan cybersecurity risk management strategy
To be most effective, retirement plan protections should mesh with overall corporate cybersecurity risk management efforts. You could use SPARK Institute, AICPA or another industry-based initiative as a framework, or use the SAFETY Act or NIST framework. Identify in writing who within the enterprise is responsible for implementing and updating the retirement plan protection strategy.
Identify data specifics:
- Which data needs to be protected
- Where stored
- How used and by whom – access must be adequately limited and controlled
- Encryption needs
- Data retention/destruction timeframes
Determine what certification(s) may be needed for compliance as well as system testing procedures, frequency, and results reporting requirements.
Train all employees to enhance cybersecurity awareness, and implement background checks for any new employees who will have direct or indirect access to retirement plan data.
Consider third-party risk management
Service providers and their vendors also have access to confidential benefits plan data. So ask about their cybersecurity risk management plans. Are the controls they use (especially regarding encryption and transmission protocols) sufficient? What are their testing procedures like? Do they have any industry certifications or external reviews that can validate the reliability of their systems?
Carefully review all contracts to ensure they delineate who is responsible for data protection and how liability risk is allocated. What are each party’s obligations should a data breach occur? Do service providers/vendors carry insurance covering cybersecurity breaches? Ask about coverage details.
Evaluate your own insurance
Employers carry multiple types of insurance, from general liability to E&O to ERISA bonds or fiduciary coverage. However, cybersecurity breaches are not necessarily covered by any of these policies. It is crucial to examine current insurance to identify gaps that should be filled with specialized cybersecurity coverage.
Cybersecurity insurance is relatively new to the industry, so it is a work in progress. That makes it even more important to understand the scope of a potential policy as well as individual and policy incident limits and other terms and limitations.
Is all this really necessary?
The jury is still out on whether addressing cybersecurity risks is a formal fiduciary responsibility under ERISA. Nonetheless, proactive employers are taking a broader view of the situation. Given the variety of threats to company and employee well-being that could result from a data breach, employers should be considering every possible opportunity to protect their retirement plan data and systems. And ensuring their service providers are fully protected, too.
In the end, cybersecurity is a “best available” effort, not a guarantee no breach will ever occur. Technology is evolving rapidly, offering newer, better protections for electronic data storage and communication. But the bad guys are evolving also, finding new ways to break through or circumvent the latest protections.
Working together, plan sponsors and service providers can create a comprehensive cybersecurity risk management strategy that is tailored to the company’s specific benefit plans. A well-crafted strategy that offers a reasonable, proportionate response to identified risks is far better protection than no plan at all.