Cyberthreats Against Benefit Plans Increasing

Managing a benefit plan can be a challenging task. There are multiple rules and regulations which must be followed including those mandated by both the IRS and the Department of Labor (DOL). Many of these originated with the Employee Retirement Income Security Act of 1974 (ERISA) which was designed to provide a broad framework for how plans should function including rules on plan administration, participant access, annual audits, and more. A central theme interwoven across these rules is risk management. While many are familiar with traditional risk management issues, fewer are aware of the risks presented by data breaches, malware, and phishing attacks. Last year alone there were over 1 million data breaches resulting in the exposure of 155.8M records. To help address the issue, the DOL recently issued cybersecurity guidance for ERISA plans providing important steps to follow to reduce the risks of an attack. While useful, many still have questions about the threat, how it works, and the comprehensive steps which can be taken to ensure a maximum level of protection. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key information below.

High-Risk Information

Many are unaware of the valuable digital information necessary for plan administration that can be misused such as PII and enrollment data. The highest risk plan data is the personally identifiable information (PII) retained for each participant such as social security numbers, dates of birth, and financial account information. Since this information almost never changes, it can be used to perpetrate crimes over an extended period. Enrollment data such as account balance, direct deposit information, and compensation could be used to request loans and distributions.

Costs of a Breach

The costs of a breach can be significant and most often impact the plan administrator and third-party providers. It starts during breach detection and includes incident response, determining the extent of the attack, data recovery, and confirmation of system integrity. The theft of PII can lead to further financial loss especially for participants and cascading down to plan management. It is also possible that plan fiduciaries could be found responsible for a breach of duty and be required to restore losses.

In fact, there have been several cases litigated around the damages caused by data breaches and the draining of accounts using illegally obtained data. In a recent case, a participant submitted a plan loan request for $15,000. In the process, cybercriminals intercepted the request and were able to withdrawal over $400,000 through fraudulent applications. In this case, questions about the breach of fiduciary responsibility were a central issue.

Common Types of Attacks

The unfortunate reality is that cybercriminals are innovative and constantly increasing the complexity of the schemes used. However, there are three common types of attacks used, including:

1. “Phishing” Attacks – These are attempts to obtain login credentials to access online participant account information. Using this information, the cybercriminal can request distributions or loans which are directed to fraudulent accounts. These attacks are commonly perpetrated through a fake email that appears legitimate asking for account credentials or other sensitive information.
2. Malware – These attacks trick a user into running a Trojan horse program usually from a website that is commonly visited. The website is unknowingly compromised and delivers malware instead of the regular content. Once a computer is breached the malware acts quickly to infect other networked devices and begins searching for data to steal.
3. Ransomware – This attack attempts to penetrate a company’s network and encrypts the data making it impossible to use. The cybercriminals will hold the data for ransom giving the decryption key once a high ransom has been paid.Leanr an

Protecting Plan Information

Plan administrators often have questions about their responsibilities for protecting against such attacks from occurring. According to a DOL report, Cybersecurity Considerations for Benefit Plans, there are several items that should be implemented including a comprehensive incident response plan. It should include a communication process, steps for determining the extent of an attack, breach correction methods, and mitigation against future attacks. Plan sponsors are also encouraged to explore the limitations of existing insurance coverage and to supplement gaps.

Contact Us

Cybersecurity is not a new issue, but it is one that plan sponsors need to pay careful attention to. If you have questions about the information outlined above or need assistance with a plan administration or plan audit issue, then Wilson Lewis can help. For additional information call us at 770-476-1004 or click here to contact us. We look forward to speaking with you soon.