Cybersecurity and Employee Benefit Plans

Employee benefit plans are coming under greater risk for cyberattacks.

Nearly all employee benefit plans contain high account balances and sensitive personal information for participants and beneficiaries. The following factors contribute to this increasing risk:

  • Benefit plan information is almost always stored electronically.
  • Employers generally do not consider benefit plans when they formulate their cybersecurity policy.
  • Benefit plans are only lightly regulated for cybersecurity.
What information is at risk because of a cyberattack?

Employers and third-party service providers hold specific electronic information that is valuable for cyberattacks, including:

  • Personally identifiable information like Social Security numbers, birth dates and email addresses
  • Participant account balances, direct deposit information, compensation and other financial information
  • Electronic health information that can be used to acquire prescription drugs, falsify insurance claims, open credit accounts or obtain fraudulent government documents
What are the consequences of a cyberattack?

A cybersecurity breach damages your reputation and company finances, including:

  • Costs related to the breach investigation and recovery
  • Costs resulting from losses to your employees and benefit plans
  • Costs from lawsuits due to breach of fiduciary duty
  • Fines and sanctions from government agencies
What responsibilities do plan sponsors have?

Plan sponsors and certain third-party service providers have Employee Retirement Income Security Act (ERISA) fiduciary obligations for each of the employee benefit plans they manage. A fiduciary is a person responsible for managing an employee benefit plan’s assets and ensuring compliance with ERISA.

ERISA requires that fiduciaries to administer the plan with the care, skill, prudence and diligence that a prudent person would use under the same circumstances. Department of Labor (DOL) regulations provide specific requirements for the protections and confidentiality of personal information. Depending on the state you do business in, you may have additional cybersecurity requirements.

The DOL’s Advisory Council Cybersecurity Report recommends that employers:

  • Establish procedures on how to communicate with plan participants about what they’re doing to protect participants’ personal information
  • Create a process to correct a cyber breach if it occurs, including remedies for affected individuals
  • Document steps they’ll take when responding to a breach
  • Vet service providers and negotiate contractual provisions to lower the risks and costs of a cyberattack
  • Review and understand the limitations of their business insurance and cyber insurance coverage and address any gaps in coverage

The report also identified four main areas employers should include in their cybersecurity policies:

  • Data management: Have specific plans and regular updates for how you will control and protect data
  • Technology management: Keep your technology up to date
  • Service provider management: Regularly perform due diligence on the data security practices of your service providers
  • People management: Regularly train all employees who handle personal information
Stay vigilant

Benefit plan cybersecurity is an overlooked risk, but most organizations already have a cybersecurity plan. Use the suggestions above and compare them to your plan. By testing and updating your policies, monitoring your service providers and regularly training your employees, you can lower the risk of a breach.

Looking for help?

If you have any questions about cybersecurity and employee benefits, our employee benefits team is here to help you.

This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.

Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.

This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem.

Copyright © 2024 Applied Systems, Inc. All rights reserved.