When most plan participants think about security involving their retirement plan, they are typically thinking along the lines of financial security and how their investments perform. However, like other financial institutions, retirement accounts are subject to cyber threats that could threaten users' privacy and other account information.
Retirement and health benefit plans may have a lot of detailed information about plan participants. This includes their name, date of birth, Social Security Number, bank information, email and physical addresses, and passwords or PIN numbers. Hackers and cyber criminals can use this information to access bank accounts, open new credit cards, or take out loans in someone else's name.
Last year, the ERISA Advisory Council drafted a report on cyber security titled “Employee Benefit Plans: Considerations for Navigating Cybersecurity Risks.” The report raises awareness of cybersecurity threats and provides information to plan sponsors, service providers, and fiduciaries regarding the development of risk management programs to address cybersecurity threats.
Examples of cyber threats cited in the report that are common today include:
- Ransomware used by criminals to encrypt and seize an entire hard drive, only releasing it in exchange for a high ransom.
- Phishing where fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cyber-criminal to infiltrate a computer network.
- Wire transfer email fraud where cyber criminals pretend to be senior executives asking employees to transfer funds.
- Malware via external devices where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.
While companies are increasingly aware of the potential for theft of personally identifiable information, there continues to be weak and unprotected areas of access to be aware of. Increasingly, data is accessed on mobile devices and data is stored using cloud-based services making it susceptible to cyber security threats.
The fact that there are many different users and service providers involved in benefits administration further complicates the issue. Everyone who comes in contact with personal information has a role to play in protecting that information. This includes cyber threat training and regular monitoring and reporting of threats to plan participants' personal information.
According to the report, “[l]arge employers and organizations are more likely to have the resources to obtain guidance on the management of personal information in benefit plans and to increase their due diligence efforts in this area. Small and mid-sized employers and organizations are less likely to have the resources to obtain this level of support and guidance.”
Many companies use third party administrators (TPAs) in managing employee benefits. However, while TPAs may have experience in handling benefit plans, not all TPAs “have a comprehensive and consistent regulatory framework to guide their data security programs.” Plan sponsors who use TPAs should be aware the benefits of using service providers with robust cybersecurity policies and procedures. Fiduciaries should clearly spell out security obligations and responsibilities and include automatic notification and audit obligations.
If you have any questions about cybersecurity threats to employee benefit plans, contact your benefits and ERISA attorneys at Butterfield Schechter LLP. We are San Diego County's largest firm focusing its law practice on employee benefits. Our firm can help you safeguard plan participants privacy and maintain compliance with ERISA regulations. Contact our office today with any questions on how we can help you and your business succeed.