Has your organization put a cybersecurity plan into place as remote work and hybrid options have changed the way we do business? It is critical to be prepared as cybercrime becomes more sophisticated, creating legitimate looking forms of communication that have the potential to break through the barriers of your firewalls. You should be aware that malware and phishing attacks are on the rise.  

Employee benefit plans have strict compliance rules and are becoming an ever-growing target for cybercrime as they contain a significant amount of sensitive participant data. In 2021 alone, cybercrime has cost businesses across the United States over $7 billion. According to the Employee Benefits Security Administration (“ESBA”), in 2018, there were an estimated 34 million defined benefit plan participants and 106 million defined contribution participants, producing an estimate of over $9.3 trillion in assets. That’s a big gamble when it comes to dealing with the potential risks posed by cybercrime and the importance of protecting your participants’ personal information and assets.

Don’t think it can’t happen to you? Here are a few examples of how employee benefit plans can be impacted by cybercrimes including ransom attacks:

  1.  Impact the ability to pay out pension checks and health claims in a timely fashion
  2.  Result in loss of critical data
  3. Open the door to employee identity theft
  4. Cause a loss of employee confidence and brand damage

When it comes to your data, luckily there has been a lot of discussion in recent months regarding the importance of insurance against loss along with training for employees throughout all levels of your organization. The Department of Labor’s ERISA Advisory Council (EAC) even deemed “cybersecurity insurance and employee benefit plans” to be one of their most crucial topics during their May 2022 meeting.

Within the last year, the Department of Labor (“DOL”), through its Employee Benefits Security Administration (“EBSA”), has released guidance regarding the duty that Plan Sponsors have in ensuring that participant data is protected.

Suggested best practices include:

  1. Having a formal, well documented cybersecurity program
  2. Conducting annual risk assessments
  3. Conducting a reliable, third-party audit of security controls
  4. Defining and assigning information security roles and responsibilities to employees
  5. Following strong access control procedures
  6. Ensuring assets and data are subject to security reviews and assessments and is stored in a Cloud or managed by a third-party service provider
  7. Conducting periodic cybersecurity awareness training
  8. Implementing and managing a secure system development life cycle (SDLC) program
  9. Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response
  10. Encrypting sensitive information both stored and in transit
  11. Implementing strong technical controls following best practices
  12. Responding to any past cybersecurity incidents

In line with the new guidance, it’s been emphasized that a significant part of the Plan Sponsor’s duty is in the safeguarding of assets.  Now is the time to start treating participant data as a key asset within your organization. As you move forward in enhancing your cybersecurity practices and start to assess your organization’s risks, it is recommended to turn to the DOL’s recent guidance and consult with service providers.

If you have any questions, please don’t hesitate to email us.

About the Author

Marissa Flood is an accountant in the Assurance Practice at SobelCo. Marissa works with the firm's employee benefit plan practice group, while also servicing the firm's nonprofit and commercial business audit clients in a variety of industries.

For more information contact Marissa Flood at marissa.flood@sobelcollc.com.