Cybercriminals have cranked up attacks on organizations, and they’re turning information systems upside down looking for valuable personal data they can steal. No database seems to be safe these days, and as hacking activities intensify, employee benefit and welfare plans have become uniquely vulnerable to data theft and inadvertent disclosure.
Whether a pension plan is privately or publicly sponsored, it may still expose employees to cyber threats leading to the theft of sensitive personal information. However, most companies don’t appreciate the gravity of such cyber-risks. Additionally, they’re not doing enough to secure their employee benefit plans against possible data theft and fraudulent use of stolen sensitive information.
Why are Employee Benefit Plans Vulnerable to Data Loss or Theft?
Two main concerns make employee benefits plans a soft and lucrative target for hackers: Inadequate cybersecurity measures and the black market-value of participants’ information. Here are the cyber risk factors that employers need to consider:
- Expanding IT footprints: In many modern cases, employee benefit plan information is accessible from multiple digital platforms—both internal and external. As such, programs that outsource Software as a Service (SaaS) or Platform as a Service (PaaS) expose large amounts of sensitive employee data to at-rest as well as in-transit cyber threats. In other words, a criminal seeking to steal participant or beneficiary personal information may launch an attack on a plan’s IT infrastructure from any of the many available digital fronts, including on-premise servers, third-party cloud-based servers, and endpoint devices.
- Poor cybersecurity planning: Not many pension plan sponsors are implementing tight security measures for the employee information they hold on an ongoing basis. The organizations tend to rely solely on antivirus and anti-spam solutions to guard against hacking. Such cybersecurity measures usually fall short when tech-savvy cybercriminals go after high-value personal data.
- Grey areas in cybersecurity regulations: Any organization that stores or manipulates protected health information (PHI) must abide by the Health Insurance Portability and Accountability Act (HIPAA). However, employee benefits plans are not subject to similar cybersecurity regulations.
Participant Information at the Highest Risk of Breach
Usually, employee benefit plans hold sensitive data that criminals may access and use in various forms of identity theft. Here are some of the most lucrative pieces of personal information targeted by cybercriminals:
- Personally identifiable information (PII): Employee benefits plans hold different forms of PII that are a cybercriminal’s goldmine. That includes social security numbers and birthdates, which attackers can abuse for extended durations.
- Employee enrollment information: Successful hacking into a plan’s information system may lay bare participants’ enrollment data. It could enable attackers to track account balances, transactions, and compensation information. It’s also possible for criminals to access participants’ online accounts and apply for credit, illegally.
- Electronic protected health personal information (EPHI): EPHI is a hacker’s jackpot as they can use it in a broad spectrum of fraudulent ways. For example, a criminal may acquire prescription medication illegally using stolen PHI. They could also create new identities or make false insurance claims based on such data.
Employers and benefit scheme administrators can protect sensitive employee information against cyber risks in several practical ways. The 2016 DOL Advisory Council on Employee Welfare and Pension Benefit Plans report provided four main cybersecurity recommendations:
1. Employee Training
A complete cybersecurity strategy includes the training of all personnel interacting with benefit plan data or information systems. Employers should also ensure that all third-party providers collecting, storing, or transmitting their benefit plan data are training their personnel adequately. For example, employees require training to understand and avoid email phishing schemes.
2. Data Management
Implementing a proper data management and protection strategy keeps benefit plan cyber threats further away. It includes precautions such as:
- Access controls: Determining who within and outside an organization may access what benefit plan data.
- Risk assessments: Figuring out cyber threats, including ransomware, whereby attackers seize and encrypt data storage devices before demanding massive payments to decrypt and release the hardware. Also, it helps to identify areas of vulnerabilities within networks, transmission systems, and data endpoints (including end-user devices).
- Only sharing necessary data: Classifying benefit plan data based on how sensitive it is should help limit cyber-risks exposure. As such, employers may prefer to share with third-party providers only employee information that’s critical to the successful implementation of their pension benefit scheme.
- Regulatory framework: Regulations such as the SAFETY Act may serve as reference points as companies figure out how to secure their employee benefit plan data.
3. Technology Management
The administrators of employee welfare plans are better off utilizing modern technology to store and process sensitive personal data. Secure on-premise or cloud-based systems along with advanced encryption technology usually provide significant levels of data security.
4. Service Provider Management
It’s critical to assess the cybersecurity programs that third-party providers implement to protect employee benefit plan data. Organizations do well to establish conditions for allowing data access to these providers.
Getting Professional Help
While cybersecurity keeps changing with evolving threats, many employee benefit plan administrators are unable to keep pace with the advanced technology required to secure sensitive personal information. Thankfully, companies may turn to cybersecurity experts for help protecting their on-premise and cloud-hosted software and storage devices.
At Kraft Technology Group, we provide safeguard solutions against both traditional and emerging cyber risks. Contact us today for help developing a secure digital perimeter around your benefit plan’s IT infrastructure!
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.