Employee benefit plans are a common perk for many organizations. They are often seen as a necessary employee benefit, but they also come with a strong need for compliance. Specifically, ERISA-covered group health plans and retirement plans can be subject to HIPAA privacy and security laws, assurance and audit requirements and more.
Cybersecurity is often not a focus for many organizations’ employee benefit plans. After all, what would a cybercriminal want with an employee benefit plan?
Cyber Risks with Employee Benefit Plans
ERISA-covered plans are a prime target for cybercrime. They are storehouse of personal data on participants, including Social Security numbers and a variety of other personally identifiable information. This makes them ripe for identity theft as well as a host of other potential cyber scenarios.
Here are just a few of the cyber risks that can impact employee benefit plans:
- Breach of private health information can lead to HIPAA violations, which usually carry fines
- Ransomware attacks can impact the ability to pay out pension checks and health claims in a timely fashion
- Dataloss can occur when a system is breached
- Employee loss of confidence in the organization
- Employee Identity Theft
- Personal information gathering that could be used for compromising other accounts
- Brand damage is likely if a breach is publicly released
How to Prevent Cyber Risk in Your Employee Benefit Plan
Employee benefit plan fiduciaries have an obligation to prepare for and mitigate potential cybersecurity risks. This is critical to protecting participant information and building a strong culture of security within the organization.
The U.S. Department of Labor’s Employee Benefits Security Administration recommends the following cybersecurity guidance when it comes to private retirement plans:
- Have a formal, well-documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure any assets or data stored by a cloud or third-party service provider is subject to a security assessment.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a security system development life cycle program.
- Have an effective business resilience program that includes business continuity, disaster recovery and incident response.
- Ensure sensitive data is encrypted, both when stored and in transit.
- Implement strong technical controls that adhere to security practices.
- Appropriately respond to any past cybersecurity incidents.
These best practices should be utilized by recordkeepers and services providers who have responsibilities for plan-related IT systems and data.
How to Hire Service Providers with Strong Cybersecurity Experience
The best practices issued by the Employee Benefits Security Administration should also be used by plan fiduciaries when choosing third-party service providers to help with their plans. After all, these service providers are trusted to maintain plan records and keep track of confidential participant data. It is essential plan sponsors and service providers alike follow strong cybersecurity practices.
Here are a few recommendations when looking at third-party services providers for your employee benefit plans.
- Inquire about the provider’s information security standards, practices and policies. Specifically, look for service providers who follow a recognized standard for information security and utilize an outside auditor to regularly review their cybersecurity practices.
- Ask to review audit results to ensure the service provider is complying with cybersecurity standards and best practices.
- Review public information about the service provider, including information security incidents, litigation and legal proceedings with vendors.
- Talk about past security breaches and their response to those incidents.
- Make sure the service provider has cybersecurity insurance that would cover cybersecurity losses and identity theft breaches.
- Ensure ongoing cybersecurity testing and compliance is part of your contract with the service provider.
A third-party service provider is a direct link to your plan and its information. It’s important both the plan fiduciaries and the service providers are adhering to cybersecurity plans and incident response policies.
Creating a Culture of Security for Your Employee Benefit Plan
The more information we hold online, the more opportunity there is for a cyber breach to occur. Often, it’s not a matter of if it will happen, but when. There are steps you can take to help lower the risk of a cyber incident or lessen the impact should one occur.
It all begins with a culture of cybersecurity in your organization. Employee benefit plans are a perfect example of how cyber risk impacts everything you do. The more you can create proactive processes and plans to protect from a breach, the more likely you will be to lessen its impact. By creating and activating an incident response plan, you can efficiently identify, respond to, and contain an incident when one occurs.
Dive deeper: Visit EideBailly.com for online security tips to help reduce risk to your employee benefit plan.
Sign up to receive our latest updates delivered right to your inbox: