Cyber security and employee benefit plans
Employee benefit plans are coming under greater risk for cyber attacks. Nearly all employee benefit plans contain high account balances and sensitive personal information for both participants and beneficiaries. The following factors contribute to this increasing risk:
- Benefit plan information is almost always stored electronically
- Benefit plans generally are not considered by employers when they formulate their cybersecurity policy
- Benefit plans are only lightly regulated for cybersecurity
What Information Is At Risk Because of a Cyber Attack?
Employers and third-party service providers hold specific electronic information that is very valuable for cyber attacks, including:
- Personally identifiable information like Social Security numbers, birth dates and email addresses
- Participant account balances, direct deposit information, compensation and other financial information
- Electronic health information that can be used to acquire prescription drugs, falsify insurance claims, open credit accounts or obtain fraudulent government documents
What Are The Consequences of a Cyber Attack?
A cyber security breach not only causes damage to your reputation but also brings many accompanying financial damages, including:
- Costs related to the breach investigation and recovery
- Costs resulting from losses to your employees and your benefit plans
- Costs from potential lawsuits for breach of fiduciary duty
- Fines and sanctions from government agencies
What Responsibilities Do Plan Sponsors Have?
Plan sponsors and certain third-party service providers have ERISA fiduciary obligations for each of the employee benefit plans they manage. ERISA requires that all fiduciaries must administer the plan with the care, skill, prudence and diligence under the circumstances that a prudent person would use. Regulations issued by the Department of Labor (DOL) provide specific requirements for the protections and confidentiality of personal information. Depending on the state you live in, you may have additional cyber security requirements.
In November 2016, the DOL issued an Advisory Council Cyber security Report. That report recommends that employers:
- Establish procedures on how to communicate with plan participants about what is being done to protect their personal information
- Create a process to correct a cyber breach if it occurs and what remedies will be offered to those affected
- Document steps taken when responding to a breach
- Vet service providers and negotiate contractual provisions to lower the risks and costs of a cyber attack on their plan
- Review and understand the limitations of their business insurance and cyber insurance coverage and address any gaps in coverage
The report also identified four main areas employers should include in their cyber security policies. They are:
- Data management – have specific plans and regular updates for how you will control and protect data
- Technology management – make sure your technology is up to date
- Service provider management – regularly perform due diligence on the data security practices of your service providers
- People management – regularly train all of your employees that handle personal information
Benefit plan cyber security is an overlooked risk. However, most organizations already have a cyber security plan in place. Use the suggestions above and compare them to your plan. By testing and updating policies, monitoring service providers and regularly training your employees you can lower the risk of a breach of the sensitive information in your benefit plans. Connect with us to find out more.