Holly Hejmowski, CPA
Employee Benefit Plan data is an attractive target for cybercriminals
Today’s businesses learn more about cybersecurity every day, but it’s still a challenge to stay ahead of those who could hack their systems for fun or profit. With stories of cyber breaches reported in almost every news cycle, executives have come to appreciate the importance of protecting customer data from outside attacks. But customers aren’t the only people who share private data with businesses.
Employees submit sensitive personal information to their employers and the benefit plan managers that employers choose. The data shared can range from the same type of financial information that businesses get from customers to much more sensitive health and personal information than most companies would ever request from clients or customers. Cybersecurity efforts generally offer some benefit to every type of information a business needs to guard, but employee benefit plan (EBP) data deserves some extra attention.
EBP data is a prime target for cyber-attacks because:
- It’s almost entirely electronic,
- It’s typically maintained on multiple systems (e.g. the employer’s, the third party administrator’s, the payroll provider’s), and
- Updates are transmitted regularly among the parties.
Protecting Sensitive Employee Benefit Plan Data From a Cybersecurity Attack
Hackers can approach from a variety of directions. They can phish in the employer’s environment, attack firewalls at a plan administrator, or intercept transmissions of data passing between the parties. It’s not hard to figure out when your paydays are, or when you transmit W-2s to your employees.
With so many potential vulnerabilities, what steps can employers take to protect sensitive employee benefit plan data? Here are five strategies your organization can deploy:
- Internal Cybersecurity Strategy – Prepare a Cybersecurity Risk Management Plan
The first step every employer needs to take to protect EBP data is to account for it in a . Everybody lives in fear of hearing that their customers’ credit card info has been stolen and posted to the web, so they focus efforts on protecting customer transactions. Employers need to treat EBP data with the same sense of urgency and make sure that internal cybersecurity plans address specific needs in this area.
- Point out that phishing scams can target benefit information just as easily as they target customer databases.
- Coordinate with benefit providers to train employees on how they initiate contacts. If your 401(k) provider says, “We never initiate a contact via e-mail,” your people need to be suspicious if they get an unexpected e-mail from them.
- Cybersecurity penetration tests need to include EBP systems.
- External Cybersecurity Strategy – Have an Expert Prepare a System and Organization Control Report (SOC Report)
EBP service providers typically place a high premium on cybersecurity. They understand how attractive their systems are to hackers and how much their reputation depends on protecting client data. But how can you evaluate the effectiveness of a provider’s data security precautions?
These external service providers can hire CPAs to prepare “System and Organization Control” (SOC) reports that communicate relevant information about the effectiveness of their cybersecurity risk management programs. Employers who outsource employee benefit functions can review these reports to learn more about how a provider protects the sensitive information it receives.
- Transmissions - Evaluate the Security of Your Communication Channels
Don’t overlook the fact that employee benefit plan data needs to get from your protected environment to your provider’s protected environment without being hijacked along the way. Be sure to evaluate the security of your communication channels and consider options for encryption and securing shared servers.
In the event two providers share data directly (such as a payroll service transmitting data to a 401(k) provider), take time to verify that their handoffs meet your requirements.
- Mitigation of Cybersecurity Damages – Basic Alerts
As much as businesses plan to manage cybersecurity risks, no system is invincible. For this reason, your EBP cybersecurity plan must provide for the mitigation of damages in the event of a breach. You should have some basic alerts drafted to notify affected individuals as quickly as possible, and you should consider providing benefits like credit monitoring so that employees can protect themselves before their data is used fraudulently.
- Connect with Freed Maxick Cybersecurity Experts
In a competitive employment market, businesses need to take every step possible to make themselves attractive to potential employees and to avoid the kind of damage that an EBP breach can cause to a reputation.
If you’re wondering whether your cybersecurity risk management plan adequately covers your EBP needs, Freed Maxick can help. We have the experience to evaluate all facets of your EBP security and to help you remediate any issues that may exist.
For more information, please contact us here or call 716.847.2651.