A series of damaging cyberattacks have put cybersecurity back in the headlines. Earlier this year, a cyberattack shut down a major oil pipeline that transports gasoline to much of the country, disrupting gas supplies for days and raising prices.
Soon after, another cyberattack temporarily halted meat production at a large beef processor and disrupted these supply channels. Incidents like these are a reminder of the tremendous damage cyberattacks can unleash on our nation’s infrastructure and the importance of building up cyber defenses.
It’s True for Plan Sponsors, Too
This is just as true for employee benefit plan sponsors as it is for the CEOs of pipeline and meat processing plants. Retirement and health and welfare plans are ripe targets for hackers looking to steal plan assets and participants’ enrollment data, personally identifiable information (PII), and electronically protected health information (EPHI).
Therefore, plan sponsors have certain duties under ERISA related to the damage that a cyberattack or data breach could have on plan participants. As a plan fiduciary, you should anticipate and prepare for the critical actions and decisions you will take in response to a cyberattack.
Employee benefit plan information that’s stored electronically can be especially vulnerable to cyberattacks due to the vast amounts of sensitive employee data (including PII) that’s shared with third parties like outsourced service providers. Many of these providers electronically store and share this information with other organizations.
Also, employee benefit plans often fall outside the scope of a sponsor’s regular cybersecurity defenses, and they aren’t regulated for the purposes of cybersecurity. In addition, plan sponsors may believe that anti-virus software installed on systems and computers will provide full protection from an attack or that SOC 1 reports they receive from outsourced service providers adequately address their cybersecurity risks (see sidebar).
However, given the key differences between cybersecurity risks inherent in employee benefit plans and other areas of the business, it’s critical to form separate and distinct cybercrime risk mitigation strategies for employee benefit plans.
Negative Consequences of a Cyberattack
Your organization could face a number of negative consequences as a result of a cyberattack that targets your employee benefit plans, including the following:
- The financial costs incurred to detect the extent of the breach, investigate and manage the response, recover data, and restore the system’s integrity could be substantial.
- Plan participants, beneficiaries, service providers, and the plan itself could be damaged financially due to the theft of PII and breach of online security over plan assets.
- A damaging cyberattack could lead to operational disruption and harm your organization’s reputation.
- As the plan fiduciary, you could be required to restore financial losses that participants and their beneficiaries suffer.
- If EPHI is breached during a cyberattack, you could be found in violation of HIPAA, which could lead to fines or monetary settlements.
Main Cyber Threats to Benefit Plans
One of the main cyber threats to employee benefit plans remains phishing and spear phishing. In these schemes, cybercriminals send fake (but sometimes very convincing) emails trying to get employees to download attachments that contain malware or to click links that automatically download malware onto their computers. Or the cybercriminals try to trick employees into sharing login credentials and passwords.
Once installed, malware can give hackers remote access to participants’ account information. This could enable them to request fraudulent plan distributions or loans, redirect benefits to a fake account, or create fraudulent health claims.
In one instance, hackers sent a fake email to a plan sponsor’s human resources department that was supposedly from a top executive asking for sensitive participant information. The employee sent the information before someone realized that it was a spear phishing attack. In another instance, a phishing attack at a plan recordkeeper exposed participants’ retirement accounts to a data breach in which unauthorized distributions were made.
Ransomware is another growing cyberthreat—the type that targeted the gas pipeline and meat processor earlier this year. Here, cybercriminals infiltrate computer networks and encrypt or freeze data, holding it “hostage” until their ransom is paid. According to the 2020 Trustwave Global Security Report, ransomware is now the leading form of cybercrime in the U.S.
Reducing Your Cybersecurity Risk
Here are four steps contained in the National Institute of Standards and Technology (NIST) cybersecurity framework to reduce cybersecurity risk to your employee benefit plans:
- Determine where you’re most vulnerable. You’re only as strong as your weakest cybersecurity link, so figure out where this is. For many plan sponsors, the weak link lies in employees who are untrained in properly handling sensitive data.
- Be proactive in protecting sensitive information. This includes participant enrollment data, PII, and EPHI. Strive to create a culture of awareness about the importance of data security throughout your organization.
- Establish detection mechanisms. For example, you should perform penetration testing now so you’ll know if a cyberattack occurs.
- Devise a cybersecurity defense plan. Your plan should detail two areas: 1) How you will respond to a cyberattack to minimize damage, and 2) How you will recover from damage due to an attack.
Plan Your Defenses Now
In today’s environment, it’s almost inevitable that a cyberattack will occur—the only question is when. This is why it’s so important to plan your cybersecurity defenses now instead of after you’ve suffered an attack or data breach.