As the rate of digital transformation continues to accelerate across all industries, poor cybersecurity remains a pressing threat to employers and benefit plan sponsors. Awareness of nine common cybersecurity myths can help employee benefit plan stakeholders better understand their plan’s risk posture and take steps to make improvements.
Employee benefit plans are extremely attractive targets for cyberattacks because of the sensitive information they maintain, including Social Security numbers and health information. Taft-Hartley and single employer plan sponsors specifically have a fiduciary responsibility to minimize cybersecurity risk and exposure to their plans, while the cybersecurity requirements for public plan sponsors are not as clear. Implementation of a robust cybersecurity program—including protecting sensitive data, safeguarding critical infrastructure (and everything in between)—is a vital component of any organization’s operations and essential to preserving trust among plan participants.
Nine Cybersecurity Myths
As plans face potential vulnerabilities and threats, their strategies around data protection will vary based on factors such as size, scope and unique risks at play, but here are nine myths and misconceptions surrounding cybersecurity that every plan stakeholder should be aware of to ensure a more accurate understanding of a plan’s risk posture.
Myth 1: Small employers and plans are not attractive targets, and large organizations are impervious to cyberattacks.
Small organizations are far from immune to cyberthreats. In fact, hackers often target small businesses and employee benefit plans precisely because they have less sophisticated cybersecurity measures in place and the number of small business cybersecurity attacks is rising dramatically. Recognizing that every organization, regardless of size, can be a target is an essential step in prioritizing cybersecurity.
While large corporations might have more formal cybersecurity programs, they are often high-profile targets and are continuing to fall victim to cyberattacks. In the recent MoveIT breach, more than 16 million people had their information, including Social Security numbers, pension information and medical records, compromised. In many cases, companies that used the MoveIT file transfer program had a significant amount of time to patch a vulnerability and did not react in accordance with community standards.<1,2> In addition, phishing attacks, in which attackers trick email users into divulging sensitive information, remain the most common entry into a system and make everyone and every organization vulnerable.
Myth 2: Formal cybersecurity is optional.
The importance of cybersecurity cannot be understated in today’s digital landscape, where virtually every aspect of our lives is intertwined with technology. Like operating an airplane or practicing medical care, it requires an expert understanding, a framework for what is needed, and constant care and feeding, regardless of the size of the organization or the scope of the risk. Neglecting cybersecurity is like leaving the front door wide open. Prioritizing a well-rounded cybersecurity program and ecosystem is a responsible and prudent decision that contributes to the overall safety, stability and resilience of an organization.
In addition, in 2021 the Department of Labor (DOL) released new guidance directed at retirement plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act and plan participants and beneficiaries.<3> After the guidance was issued, DOL began auditing retirement plans with a focus on cybersecurity.
Myth 3: Information security is expensive.
While implementing comprehensive information security measures often requires investments, the belief that information security is prohibitively expensive is a misconception. Investing in the proper cybersecurity frameworks and software rather than shouldering the cost of a security breach or data leak is likely an excellent investment. The expenses of implementing adequate security protocols are minimal in comparison with the cost of a breach, which averaged $4.45 million in 2023.<4> Properly secured technology and processes serve as the seat belts for confidential data—just as wearing a seat belt is a simple, yet effective measure to reduce the risk of injury in a car accident.
As an aside, many benefit plans can leverage cloud solutions (software as a service or SaaS) to cost-effectively manage cybersecurity. And, for smaller plans, leveraging the built-in features of comprehensive management tools like Microsoft Office 365 can significantly improve their security posture with capabilities including strong access control procedures, multifactor authentication, encryption and technical controls.
Myth 4: Our organization has cyberinsurance, so we don’t need to spend more on an information security program.
It should be noted as well, that while cyberinsurance can provide financial protection in the event of a cyberincident, it should not be seen as replacement for robust cybersecurity measures. Cyberinsurance is a safety net; it does not prevent cyberattacks or guarantee complete recovery. Investing in proactive cybersecurity measures is crucial for preventing incidents in the first place and minimizing potential damage.
In addition, cyberinsurance policies almost ubiquitously require organizations to have a formal information security management program (ISMP) in place, because without this program (1) the risk of an incident is abnormally higher and (2) the potential depth of an attack is far deeper.
Myth 5: Information security is the same as information technology and the responsibility of the IT department.
There is a fundamental difference between information security and information technology (IT). IT focuses on the management and use of technology resources, while information security pertains to protecting these resources from unauthorized access, breaches, destructive actions and other threats. Information security encompasses policies, procedures and practices designed to safeguard digital assets, while IT addresses the technical aspects of managing and maintaining these assets through effective service delivery. By understanding the distinction between these two concepts, organizations can effectively allocate resources, prioritize initiatives and develop comprehensive strategies that address both technical and security-related challenges.
While IT departments are responsible for keeping systems operational, they usually are not risk or information security professionals. Furthermore, asking an IT department to assess its own work may no be ideal. Plan sponsors may want to consider instead using trained professionals who are not operating the systems to conduct risk assessments and information security assessments.
Furthermore, IT teams may be well-versed in recognizing technical issues, but they might not have the expertise to identify other risks, such as regulatory compliance violations, insider threats or physical security vulnerabilities. This is why conducting a comprehensive and accurate risk assessment should be a collaboration between information security experts, IT, legal, compliance and business units.
Ensuring information security requires involvement from all levels of an organization. As detailed below, leadership, employees and even third parties must collaborate to create a culture of security awareness, compliance and risk mitigation.
- Leadership plays a pivotal role in shaping the organization’s approach to information security. Executives and managers must champion the importance of security and provide resources, prioritize initiatives and establish policies that guide the entire organization. IT is simply not in a position to effectively act in this role.
- Employees are often the first line of defense, and their actions can significantly impact the organization’s security posture. When management fosters a culture of security awareness from the top down, employees are empowered to recognize and report suspicious activities, practice excellent cybersecurity habits and adhere to policies and best practices.
- Third-party partners (e.g., vendors and service providers) can introduce security risks, and not just through IT. Collaboration with these partners should include due diligence on their security practices, contractual agreements that outline security expectations, and ongoing monitoring to ensure compliance.
Myth 6: Commercially reasonable<4> information security can be done without an industry framework.
There is no one-size-fits-all approach to implementing a commercially reasonable information security management program. Industry frameworks, such as the NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) or ISO 27001, provide structured guidelines and best practices for establishing effective information security practices. In the United States, many consider the NIST Cybersecurity Framework (CSF) to be the de facto standard for managing information security, and it is free to all to download. Attempting to achieve commercially reasonable information security without leveraging an industry framework typically results in ad hoc and inadequate security measures that leave an organization vulnerable to evolving threats.
Industry frameworks also offer a road map for identifying, assessing and mitigating security risks, while the organization benefits from the collective knowledge and experience of the cybersecurity community. And the frameworks offer flexibility to adapt security measures to the unique characteristics of the organization.
Myth 7: Benefit plan vendors will accurately self-report their information security status.
Third-party vendors, which can include third-party administrators (TPAs), recordkeepers, IT vendors and actuaries, often have access to an organization’s systems, data and/or networks. Inadequately vetted vendors can serve as entry points for attackers aiming to compromise the organization’s security. Relying solely on a provider’s self-reporting for information security assessments is an ineffective approach that can lead to critical gaps. Assuming that vendors themselves have adequate subject matter expertise to understand the risk—others may not always provide accurate or complete information about their security practices.
Independent verification and assessment—which usually include audits performed by external experts—along with contractually defined obligations and ongoing monitoring, are necessary to ensure vendors adhere to defendable security standards. DOL has published “Tips for Hiring a Service Provider With Strong Cybersecurity Practices” that can help plan sponsors select and monitor plan vendors.<5>
Myth 8: Cyber-resilience is solely about technological solutions.
In today’s digital landscape, the concept of cyber-resiliency has emerged as a critical paradigm for organizations to navigate the complex and ever-evolving cyberthreat landscape. However, there is a common misconception that cyber-resiliency is solely dependent on implementing technological measures. While technology indeed plays a vital role, true resiliency encompasses a holistic range of components that collectively bolster an organization’s ability to withstand and recover from incidents.
Cyber-resiliency extends beyond technology to encompass people, processes and cultural aspects within an organization and involves preparing for potential cyberincidents before they occur. This includes developing proactive strategies, policies and procedures that outline how the organization will respond to different types of threats. Preparedness extends to creating incident response plans, conducting drills and ensuring that teams are well-equipped to handle emergencies.
But it is not just about preventing cyberincidents; it is also about an organization’s ability to recover swiftly and minimize damage when incidents occur. This includes having an incident response plan, ensuring a robust backup and disaster recovery strategy as well as navigating legal and regulatory matters.
Myth 9: Cybersecurity is a one-time effort.
Cybersecurity is an ongoing process that requires continuous monitoring, adaptation and improvement. Many organizations fall into the trap of thinking that implementing security measures once is enough. However, cyberthreats are constantly evolving, and new vulnerabilities emerge constantly. Regular assessments, updates to security measures and staying informed about the latest threats are all crucial to maintaining an effective cybersecurity posture.
A Holistic Approach for a Secure Future
Dispelling cybersecurity myths and misconceptions surrounding benefit plans is not just about correcting misperceptions; it is most importantly about laying the foundation for a comprehensive and proactive cybersecurity strategy that protects plans and participants. A well-rounded approach to cybersecurity considers people, processes, technology, legalities and resiliency. Organizations that embrace these principles position themselves to thrive in an era where cyberthreats are a constant reality. By understanding and addressing these myths, organizations can take a significant step toward ensuring the security, integrity and trustworthiness of their operations, safeguarding both their assets and their stakeholders’ confidence.
Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit ifebp.org/benefitsmagazine to view the full bimonthly print edition of the magazine.
David Lam, CISSP, CPP, is a partner and leads the information security group at Miller Kaplan, an auditing and accounting firm in North Hollywood, California. He provides clients with information security management support and helps them achieve optimal usage of their technologies. He has more than 30 years of experience managing information for small and medium businesses and is a former chief information officer and chief information security officer. He holds a bachelor’s degree from the University of California Los Angeles.
Endnotes
<1>The term community standards refers to the general consensus of the information security community as to what is considered reasonable.
<2>For information on this breach, see, for example, www.reuters.com/technology/moveit-hack-spawned-around-600-breaches-isnt-done-yet-cyber-analysts-2023-08-08. This type of breach is concerning to plans because it’s an example of how software that is used within an organization can lead to a breach, even if that organization is doing everything else right.
<3>www.dol.gov/newsroom/releases/ebsa/ebsa20210414.
<4>Cost of a Data Breach Report 2023. IBM.
<5>Commercially reasonable is the idea that the information security practices in place are appropriate to the risk of the information that needs to be protected.
<6>www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf.