Benefit plans and cybercrime in the post-pandemic world
4 things plan sponsors and administrators can do to mitigate and shift security risks due to cyber thieves.
The headlines are rife with stories about cybersecurity breaches involving consumer and customer data. Often lost in the shuffle is the fact that employee benefit plans are also a prime target of cyber thieves, hacktivists and bad actors involved in corporate espionage. This article discusses the reasons that these cyber criminals are focused on employee benefits plans, the heightened risks in the post-COVID-19 world, and what plan sponsors and administrators can do to address these risks.
Why benefit plans are a prime target
Benefit plans are a prime target of cyber thieves for three reasons. First, they typically hold significant amounts of sensitive participant data – Social Security numbers, birthdays, bank accounts, medical information, family information and the like. From the cyber criminal’s perspective sensitive equals valuable.
Second, benefit plans use a significant number of outside providers, from 401(k) recordkeepers to actuaries to auditors to ASOs and beyond. So, benefit plans do not just hold sensitive data themselves. Rather, they share it with these many different kinds of service providers, creating multiple points of attack for the savvy cyber criminal.
Third, many plans –most notably 401(k) plans– allow participants to access large amounts of money electronically. Participants can request distributions, loans, hardship withdrawals, etc., all through electronic means. Thus, every participant represents a vulnerability for the resourceful cyber criminal.
Impact of COVID-19
All of this is further complicated by the impact of COVID-19, which has only made plans more vulnerable. COVID-19 has forced the entire country (and beyond) to work remotely. Thus, in-house benefits professionals, recordkeepers, health care ASOs and the like are relying far more on electronic access than ever before, creating new vulnerabilities.
Moreover, cybercriminals are designing their phishing and malware attacks to exploit the fact that individuals are surfing online to find information or products related to COVID-19, the financial markets, the tense political situation and the like.
What Is a plan sponsor/administrator to do?
In the face of these cybersecurity challenges, which have been exacerbated by COVID-19, a plan sponsor or administrator can take acts to mitigate the risk in the form of education and to shift the risk in the form of contractual provisions and insurance.
1. Mitigating risk through education of employees.
The key to mitigating risk lies in education, and education, in turn, starts with those handling data. Plan sponsors and administrators should consider updating their work-from-home policies to include cybersecurity language.
However, this should only be the beginning. We know that reliance solely on language buried in a policy is less effective than directly addressing the situation in a targeted communication.
One easy solution to that is to also send all employees handling plan information a short, easy to read list of “cybersecurity tips” they need to think about when working remotely. Tips would include the importance of locking computers, hiding information from computer cameras, locking video conferences, and turning off personal electronic assistants that are always “listening.”
The tips could also remind these employees about the importance of secure document storage and destruction, as people are typically far more casual about these issues at home than they need to be when handling sensitive data. Of course, employees should be reminded about the dangers of phishing, spearphishing, social engineering and other types of attacks so they can easily recognize, and therefore not fall prey to, them.
For further ideas, sponsors and administrators can utilize resources like those offered by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency.
Further, this education should not be limited to a sponsor or administrator’s own employees. Rather, outreach to vendors is appropriate to determine whether they are taking these same types of steps, particularly if their workforce is also remote.
2. Mitigating risk through education of participants.
Education of participants is also important. In recent years, participants have been a common source of breaches when they have given away passwords or had them stolen through, for example, phishing attacks. There are multiple lawsuits involving a participant causing a breach that resulted in the theft of the participant’s 401(k) account, but then turning around and seeking to hold the plan or its vendors responsible for not having prevented the loss. These participants typically blame the vendor for not having stronger security protocols in place and the plan fiduciary for not ensuring that this was the case.
Without doubt, plan vendors and fiduciaries will want to ensure that they can defend the strength of their procedures and diligence, respectively. In anticipation of claims like this, there is no discounting the importance of vendors and fiduciaries making sure on an ongoing basis that they are comfortable with their position in that regard.
However, focus should also be placed on how to prevent this in the first instance by making participants part of the solution, rather than just the problem.
This can be done by educating participants as to the importance of cybersecurity, the need to protect passwords and the heightened risks of phishing attacks and malware. Plans can consider adding to their summary plan descriptions language placing on the participant the responsibility for maintaining safeguards. This type of language is often buried in small print in the terms of use of an internet site, but it can be far more effective — both legally and practically –if it is prominent in a summary plan description.
As noted above with respect to plan professionals, language in a large document such as a summary plan description may not be as effective as a short, targeted communication. That being the case, plan sponsors and administrators can consider sending their participants a short list of cybersecurity reminders, explaining simply how they can protect their passwords and the security of their accounts.
3. Shifting risk contractually.
Plan sponsors and administrators also need to focus on vendor risk. Complicating that endeavor is the fact that the risk of breaches at the vendor level is difficult to mitigate because plan sponsors and administrators typically do not have control over the vendor’s actions, except as set forth in the contract with the vendor.
That being the case, plan sponsors and administrators should consider reviewing their contractual arrangements with vendors to ensure that they commit to appropriate levels of cybersecurity and do not place undue risk on the plan associated with cybersecurity failures of the vendor.
Many plans sign form contracts with cybersecurity language that is not sufficiently protective. Others have legacy contracts that did not necessarily take into account modern-day risks. This suggests that it is an opportune time to revisit whether modifications to agreements are appropriate.
To be sure, contractual provisions are a supplement to, not a substitute for, appropriate diligence. As noted above, outreach to vendors about the steps they take to ensure effective cybersecurity is as appropriate now as it was when first hiring the vendor.
One of the ways a sponsor or administrator can protect itself is by carefully reviewing a vendor’s security environment to ensure that it meets or exceeds industry standards and would be effective in the face of a cyberattack.
4. Shifting risk through insurance.
Plan sponsors and administrator should consider both whether cyberliability insurance is appropriate for them and whether their vendors have adequate insurance protection.
Cyberliability insurance can principally cover three types of events. The first is first-party operational failures, which would include things like cyberextortion, data recovery, business interruption and the like. The second is first-party breach, which could include things like legal expenses, notification expenses, credit morning expenses, forensic investigations and public relations. The third is third-party breach, which could include things like network security, liability to those whose privacy was breached, regulatory liability, media liability and the like.
What is perhaps unique about cyberliability insurance is that policies are typically not cookie-cutter documents – their coverage can differ widely from insurer to insurer and even from policy to policy.
For example, some policies may not cover data in control of independent contractors for whom the insured is responsible; the definition of claim may not include formal and informal investigations; social engineering (i.e., authorized personnel being tricked into making transfers) may not be covered; and there may be exclusions for ERISA violations, professional services and contractually-undertaken liability.
On the positive side, some insurance policies will provide cybersecurity training as part of the premium or provide a premium discount where training is provided.
Given the wide variety in policy terms, sponsors and administrators considering this coverage would be wise to rely on an experience broker and insurance coverage legal specialist to compare policies before purchasing.
