Eight Steps to Enhance Your Plan’s Cybersecurity

Criminals want what benefit plans have: personal identifiable information that can be sold for great value on the dark web.

Pension and benefit plans, administrators and affiliated trade unions of all sizes face the threat of cyber attacks over their stores of social insurance and Social Security numbers, member income levels, home and work addresses, family and dependent information, and medical treatment histories—not to mention the large amounts of money that are being held for current and future benefits.

Eight Steps to Enhance Your Plan’s Cybersecurity

In their article “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” in the May/June 2019 issue of Plans & Trusts, authors Rishan Lye, Bishara Rizek and David Veld from BDO Canada note that having a complete cybersecurity strategy is no longer a niche consideration. It is a requirement for all organizations.

As part of their fiduciary duties, administrators and trustees are responsible for the security of their trust funds. And legislation in Canada, the United States and Europe can levy heavy fines against organizations that fail to protect personal data. Lye, Rizek and Veld highlight the need for employee pension and benefit trust funds to assess and address cyber vulnerabilities among employees and third-party administrators.

Eight Steps to Help Prevent Cyber Crimes

The authors state that a complete cybersecurity strategy aims to protect employee benefit plan data by focusing resources on the following eight domains.

Fraud Prevention Institute for Employee Benefit Plans

1. Cybersecurity Training

Make sure those involved in administering the trust fund are trained in cybersecurity. Focus on cyber threats, vulnerabilities and attacks; risk management; intrusion prevention and detection; incident response; and business continuity.

2. Frameworks and Standards

Apply a series of tests, such as a data-flow analysis, that comprise a thorough gap assessment.

3. Risk Assessment

Regularly schedule vulnerability assessments, penetration testing and data privacy assessments to secure your technology assets.

4. Governance

Have a management team skilled with audit processes and procedures; studied in relevant legislation; and savvy on how to close a breach, how to stop a threat and who to inform in case of an attack.

5. Security Operations

Employ a team that is up to date on the latest attack vectors to protect technology assets and prevent security breaches. The security operations team should maintain the network, including patching servers and hot fixes, and continually improve the perimeter of what is protected as threats evolve. This team is also charged with incident response, trained to address everything from hacked laptops to stolen hard drives.

6. Security Engineering

Whether your software is custom-built or vendor-provided, hire software architects to make sure the systems design of your network is sound, from identity management to security protocols. Vendor-provided software should also be confirmed to be following appropriate security protocols. If there is a hack, this team is also responsible for data forensics.

7. Cyber Plan (Including for Email and Social Media)

Email can introduce vulnerabilities when an employee sends work products to a personal address, and social media is a large attack surface allowing hackers access to people and information that can be used in social engineering attacks. Develop cybersecurity policies to limit threats. Two methods include ensuring appropriate password management and monitoring social media account activity.

8. Incident Response

Put systems and processes in place for a swift and safe resumption of operations in the instance of a cyber attack. Include an incident response plan that identifies roles and responsibilities; requisite notifications, including when reporting will be made to trustees and other third parties; critical functions (for example, the payment of benefits); and assurances that must be addressed before coming back online. All breaches should be documented, and major incidents should undergo a post-incident review.

“Cyber attacks continue to become more sophisticated and more automated,” the authors write. “For employee benefit plans, having a complete cybersecurity strategy is an increasingly necessary cost of doing business.”

[Related Reading: 6 Lessons Learned From a Ransomware Attack]

Want to Learn More About Building Your Cybersecurity Strategy?

Register now to attend the upcoming Fraud Prevention Institute for Employee Benefit Plans July 15-16, 2019 in Chicago, Illinois. The conference will uncover emerging trends in fraud prevention, share the latest in cybersecurity and deterrence of data breaches, and provide instructive guidance for internal controls and risk prevention.

At the conference, “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” author Bishara Rizek from BDO Canada will be presenting during the panel discussion “Best Practices in Fraud Prevention.”

Robbie Hartman, CEBS
Editor, Publications for the International Foundation

The latest from Word on Benefits:

Robbie Hartman, CEBS

Editor, Publications for the International Foundation Favorite Foundation Product: Face-to-face conferences—For the education, the speakers, the networking, the buzz of excitement, the buzz from the coffee stations and a buzz-illion other reasons, it’s hard to top our conferences. Favorite Conference Moment: Book signings with Captain Mike Abrashoff and attitude provocateur Alvin Law. It’s reaffirming to watch people command the stage and then earn even greater respect with the way they take time to interact and connect with individual audience members at book signings. Favorite Benefits Topics: Wellness, communication, work/life balance. Personal Insight: Robbie values time with family and friends. Traveling to a new region is a bonus, but skipping rocks in the neighborhood creek will also do just nicely. He may be many things, and has been called most of them, but he is not a sitter and will gladly find a reason to get up from his desk.

Recommended Posts

New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations

Anne Newhouse
 

According to speaker John Barlament, Shareholder, Reinhart Boerner Van Deuren, S.C., in his webcast “New Mental Health Parity Guidance: More Clarity, But More Compliance Obligations,” held on August 30, 2023, new guidance has been “desperately needed” on the topic of mental health … Read more

Legal & Legislative Reporter: Medical Provider May Not Bring Claim on Behalf of Participants and Beneficiaries

Guest Contributor
 

Every month, the International Foundation releases the Legal and Legislative Reporter, a compilation of new employee benefits–related case summaries. Below is a summary we thought you’d be interested in. Content provided by Morgan, Lewis & Bockius LLP. The U.S. District Court for the … Read more

Five Steps to Nurture Belonging in the Workplace

Guest Contributor
 

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Visit ifebp.org/benefitsmagazine to see the latest Benefits Magazine Extras as well as the bimonthly print … Read more

Navigating Uncertainty

Christine Vazquez, CEBS
 

In today’s business environment, change is constant. Earning a Certified Employee Benefit Specialist® (CEBS®) designation can help benefits professionals improve their ability to manage organizational change. The self-study CEBS courses provide critical knowledge and skills to scan the environment and strategically tailor benefit … Read more