Eight Steps to Enhance Your Plan’s Cybersecurity

Criminals want what benefit plans have: personal identifiable information that can be sold for great value on the dark web.

Pension and benefit plans, administrators and affiliated trade unions of all sizes face the threat of cyber attacks over their stores of social insurance and Social Security numbers, member income levels, home and work addresses, family and dependent information, and medical treatment histories—not to mention the large amounts of money that are being held for current and future benefits.

Eight Steps to Enhance Your Plan’s Cybersecurity

In their article “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” in the May/June 2019 issue of Plans & Trusts, authors Rishan Lye, Bishara Rizek and David Veld from BDO Canada note that having a complete cybersecurity strategy is no longer a niche consideration. It is a requirement for all organizations.

As part of their fiduciary duties, administrators and trustees are responsible for the security of their trust funds. And legislation in Canada, the United States and Europe can levy heavy fines against organizations that fail to protect personal data. Lye, Rizek and Veld highlight the need for employee pension and benefit trust funds to assess and address cyber vulnerabilities among employees and third-party administrators.

Eight Steps to Help Prevent Cyber Crimes

The authors state that a complete cybersecurity strategy aims to protect employee benefit plan data by focusing resources on the following eight domains.

Fraud Prevention Institute for Employee Benefit Plans

1. Cybersecurity Training

Make sure those involved in administering the trust fund are trained in cybersecurity. Focus on cyber threats, vulnerabilities and attacks; risk management; intrusion prevention and detection; incident response; and business continuity.

2. Frameworks and Standards

Apply a series of tests, such as a data-flow analysis, that comprise a thorough gap assessment.

3. Risk Assessment

Regularly schedule vulnerability assessments, penetration testing and data privacy assessments to secure your technology assets.

4. Governance

Have a management team skilled with audit processes and procedures; studied in relevant legislation; and savvy on how to close a breach, how to stop a threat and who to inform in case of an attack.

5. Security Operations

Employ a team that is up to date on the latest attack vectors to protect technology assets and prevent security breaches. The security operations team should maintain the network, including patching servers and hot fixes, and continually improve the perimeter of what is protected as threats evolve. This team is also charged with incident response, trained to address everything from hacked laptops to stolen hard drives.

6. Security Engineering

Whether your software is custom-built or vendor-provided, hire software architects to make sure the systems design of your network is sound, from identity management to security protocols. Vendor-provided software should also be confirmed to be following appropriate security protocols. If there is a hack, this team is also responsible for data forensics.

7. Cyber Plan (Including for Email and Social Media)

Email can introduce vulnerabilities when an employee sends work products to a personal address, and social media is a large attack surface allowing hackers access to people and information that can be used in social engineering attacks. Develop cybersecurity policies to limit threats. Two methods include ensuring appropriate password management and monitoring social media account activity.

8. Incident Response

Put systems and processes in place for a swift and safe resumption of operations in the instance of a cyber attack. Include an incident response plan that identifies roles and responsibilities; requisite notifications, including when reporting will be made to trustees and other third parties; critical functions (for example, the payment of benefits); and assurances that must be addressed before coming back online. All breaches should be documented, and major incidents should undergo a post-incident review.

“Cyber attacks continue to become more sophisticated and more automated,” the authors write. “For employee benefit plans, having a complete cybersecurity strategy is an increasingly necessary cost of doing business.”

[Related Reading: 6 Lessons Learned From a Ransomware Attack]

Want to Learn More About Building Your Cybersecurity Strategy?

Register now to attend the upcoming Fraud Prevention Institute for Employee Benefit Plans July 15-16, 2019 in Chicago, Illinois. The conference will uncover emerging trends in fraud prevention, share the latest in cybersecurity and deterrence of data breaches, and provide instructive guidance for internal controls and risk prevention.

At the conference, “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” author Bishara Rizek from BDO Canada will be presenting during the panel discussion “Best Practices in Fraud Prevention.”

Robbie Hartman, CEBS
Editor, Publications for the International Foundation

The latest from Word on Benefits:

Robbie Hartman, CEBS

Editor, Publications for the International Foundation Favorite Foundation Product: Face-to-face conferences—For the education, the speakers, the networking, the buzz of excitement, the buzz from the coffee stations and a buzz-illion other reasons, it’s hard to top our conferences. Favorite Conference Moment: Book signings with Captain Mike Abrashoff and attitude provocateur Alvin Law. It’s reaffirming to watch people command the stage and then earn even greater respect with the way they take time to interact and connect with individual audience members at book signings. Favorite Benefits Topics: Wellness, communication, work/life balance. Personal Insight: Robbie values time with family and friends. Traveling to a new region is a bonus, but skipping rocks in the neighborhood creek will also do just nicely. He may be many things, and has been called most of them, but he is not a sitter and will gladly find a reason to get up from his desk.

Recommended Posts

Educating DC Plan Participants for the Long Hike to Retirement

Kathy Bergstrom, CEBS

Many years ago, I visited Grand Canyon National Park with my mom and aunt. It was unseasonably hot, but I wanted to walk down into the canyon on the Bright Angel Trail. My companions were not up for the hike, so I […]

Building and Designing for DEI: Creating Employee Benefits That Work for All

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit ifebp.org/benefitsmagazine to view the full bimonthly print edition of the magazine.  Global […]