Employee benefit plans: Managing cybersecurity risks
The Department of Labor’s Advisory Council on Employee Welfare and Pension Benefit Plans (known as the DOL ERISA Advisory Council) has issued a report, Cybersecurity Considerations for Benefit Plans, which summarizes its examination of and recommendations regarding cybersecurity considerations as they relate to pension and welfare benefit plans.
Cyber threats, including losses due to compromised data and assets, are a daily headline. No individual, organization or industry is immune from cyber threats, including benefit plans and service providers.
Common cyber risks to benefit plan participants include identity theft, privacy breaches and theft of assets. The cost of a breach, which includes detecting the extent of the breach, recovering the data and restoring the system, can be substantial.
Cyber threats cannot be eliminated but they can be managed. Cyber experts say that it is not a question of if you will have a cyber-attack, rather it is a question of when. The next question is what you are going to do about it. In addition to taking action to minimize cybersecurity risk, all parties involved in the administration of benefit plans and their data should be prepared to RESPOND and RECOVER in the case of a cyber event. Cybersecurity is everyone’s responsibility. Critical actions and decisions can be anticipated, so they should be considered before an incident occurs, not while it is occurring or after it has occurred. You should be PREPARED IN ADVANCE.
Because benefit plans are regulated by the Employee Retirement Income Security Act of 1974 (“ERISA”), anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated duties of plan sponsors and service providers arising under ERISA. The operations and administration of benefit plans requires data sharing and asset movements among multiple parties, including third party administrators, custodians, actuaries, auditors, trustees, funds and financial accounts. It is critical for plan sponsors, administrators and service providers to have a strategy to: (1) manage data and assets with the objective of minimizing exposure to the cyber threats that exist now and that will develop in the future, and (2) respond and recover should a breach occur.
ESTABLISHING A STRATEGY
When developing a cybersecurity risk management strategy, plan sponsors should understand the potential risk sources and exposure size. Plan sponsors can start by identifying and prioritizing what data are most critical to protect and the foreseeable threats to that data. Based on those priorities, a strategy to minimize threats and respond to any breaches can be developed.
UNDERSTANDING PLAN DATA
Although there are certainly important cybersecurity considerations relative to managing plan assets, the primary focus of this document is considerations for managing cybersecurity risks associated with plan data.
The availability and use of participant data is critical to benefit plan operations. Understanding how plan data is handled and who is handling it is fundamental to a cybersecurity risk management strategy. To facilitate this understanding, plan sponsors and/or fiduciaries may ask:
- What should be protected? Participant data can contain confidential and sensitive personally identifiable information. This data may include social security numbers, names, dates of birth, dates of hire, compensation, medical claims data, personal bank account information and individual asset balance information.
- What is the plan type? Plan type affects the kinds of data at risk. For example, defined contribution retirement plans have individual asset balance information, whereas health and welfare plans track healthcare data. Plans may also have personal bank account details.
- How is the data classified? Benefit plan data sometimes have special classifications. Specific standards of care apply to different types of data. Examples include Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”).
- Where is the data stored? Multiple parties handle and retain benefit plan data, so understanding where the data is held, how the data is being stored, and the retention period are important security elements for evaluating the total risk exposure.
- Who is accessing the data? Benefit plan data is shared across multiple parties and systems as a part of the plan administration process. Involved parties will want to state any security requirements, so data is not shared unless the requirements are met.
- How is data accessed? Systems used to administer the plan may be linked to unrelated systems that give hackers unintended access. How benefit plan data is shared, accessed, transmitted and secured across systems provides insight into overall vulnerabilities and total exposure.
- Is access properly controlled? Human errors (accidental exposure, lost devices and other non-malicious forms of data loss) represent a significant percentage of data breaches. Therefore, it is important to understand how access is controlled and what manual and automated procedures are in place to manage that access. Encryption is essential and experts agree that data should be encrypted both at rest and as it moves through systems. Automated procedures can be more controlled than manual procedures.
- What data is needed? Transmitting and receiving data that is not needed to execute a task or support the plan puts more data at risk than is necessary, increasing risk.
- What data needs to be retained? Holding on to data that is not needed increases the potential for the data to be unnecessarily compromised.
- What are the threats? Threats are changing all the time, so it is important to have a dynamic system. Hackers steal data and sell it. A ransomware criminal can freeze your system until you pay a ransom fee. Threats can come through email, social media, Internet exposure, or even through unrelated applications.
For more background and information on cybersecurity frameworks, strategies and processes, please see the Advisory Council on Employee Welfare and Pension Benefit Plan’s 2016 report “Cybersecurity Considerations for Benefit Plans.”