Cybersecurity is typically a topic that arises when a high-profile incident has occurred. Most businesses maintain a basic level of security but do not implement more comprehensive controls because the potential damages are often unknown. Unfortunately, this approach may leave the door open for cybercriminals to commit numerous illegal activities. Even businesses with comprehensive cybersecurity plans such as the Colonial Pipeline, McDonald’s, CNA Financial and the Florida Water System have all been victims. The emerging threat presented by cybercrime not only impacts businesses, but also creates unique challenges for health and retirement plans. Given the large amount of personally identifiable information (PII) used in plan administration, they have now become a target for cybercriminals. In fact, there have been several cases brought against plan administrators after a breach. This reality means plan sponsors need to carefully evaluate these risks and plan appropriately. To help clients, prospects, and others, Calvetti Ferguson has provided a summary of key considerations below.
Plan Risk Overview
Benefit plans contain a bevy of attractive information that cybercriminals would be delighted to access and use for fraud or other illegal purposes. Details on plan assets, participant information, and related beneficiary details can fuel immediate and long-term fraud schemes. This means plans face several potent risk factors including those related to privacy, security, and fraud.
There are many reasons why the risk exists, including:
- Digital Environment – Like most businesses, benefit plans operate in a digital environment which includes requests for distributions, plan loans, elective deferrals, and other activities. These often include sensitive data needed to complete the task. Wherever large amounts of such data are stored and transmitted makes fertile ground for cybercriminals.
- Lack of Knowledge – For many plan sponsors, cybersecurity is a very new concept. In fact, the DOL only recently issued cybersecurity guidance to follow when selecting third-party vendors to provide plan services. Given this, there is often a false sense that anti-virus and anti-spam software offer the appropriate amount of protection. In addition, sponsors may also falsely believe that a plan provider’s SOC 1 report means they are protected.
- Lack of Regulations – While benefit plans are subject to dozens of regulations, they do not include any specifically related to cyber security. While it is expected this will change in the future to align with other businesses that handle personal information, currently there are no requirements to implement cyber security controls.
As alluded to above, there are several types of information susceptible to cyber-attacks including PII and protected health information. PII includes information such as social security numbers, email address, home address, date of birth, annual compensation, account balances, and even financial account details. When taken, the information is most often used to request loans and distributions.
In addition, electronically protected health information (EPHI) including health status, insurance provisions, payment for services, and other sensitive information stored in digital form. The information can be used to acquire prescriptions, falsify insurance claims, file fake tax returns, and even open new bank accounts.
Common Types of Attacks
There are many types of attacks that can be used to steal data. In fact, as cybersecurity controls become more effective, it acts as an incentive for cybercriminals to increase the sophistication of methods; however, there are currently three broad categories for defining attack types, including:
- “Phishing” Attacks – These are attempts to obtain login credentials to access online participant account information. Using this information, the cybercriminal can request distributions or loans which are directed to fraudulent accounts.
- Malware – These attacks trick a user into running a Trojan horse program usually from a website that is commonly visited. The website is unknowingly compromised and delivers malware instead of the regular content. Once a computer is breached the malware acts quickly to infect other networked devices and begins searching for data to steal.
- Ransomware – This attack attempts to penetrate a company’s network and encrypts the data making it impossible to use. The cybercriminals will hold the data for ransom giving the decryption key once a high ransom has been paid. In recent weeks, the news has been filled with stories about such attacks including JBS Swift.
Plan Fiduciary Responsibilities
Given the threats, plan fiduciaries are often interested in learning what preventative steps should be taken. The DOL has published several bulletins which broadly outline what actions should be taken. First, as part of the duty to monitor plan service providers, it is necessary to understand how these organizations store and protect plan data. In addition, there is also a requirement to maintain an incident response plan. The plan should include specific information on when and how communication will occur with participants informing them of the breach, the process for how the event will be addressed and corrected, and the need for documentation of resolution. It is also recommended to periodically review insurance limitations to determine if additional coverage through a cybersecurity policy would be beneficial.
The ever-evolving types and sophistication of cyber-attacks pose a significant risk to Texas employee benefit plan sponsors, third-party providers, and participants. To ensure plans are properly protected it is necessary to review and implement the appropriate cybersecurity controls. If you have questions about the information provided above or need assistance with a cybersecurity need, Calvetti Ferguson is here to help.