Criminals want what benefit plans have: personal identifiable information that can be sold for great value on the dark web.
Pension and benefit plans, administrators and affiliated trade unions of all sizes face the threat of cyber attacks over their stores of social insurance and Social Security numbers, member income levels, home and work addresses, family and dependent information, and medical treatment histories—not to mention the large amounts of money that are being held for current and future benefits.
In their article “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” in the May/June 2019 issue of Plans & Trusts, authors Rishan Lye, Bishara Rizek and David Veld from BDO Canada note that having a complete cybersecurity strategy is no longer a niche consideration. It is a requirement for all organizations.
As part of their fiduciary duties, administrators and trustees are responsible for the security of their trust funds. And legislation in Canada, the United States and Europe can levy heavy fines against organizations that fail to protect personal data. Lye, Rizek and Veld highlight the need for employee pension and benefit trust funds to assess and address cyber vulnerabilities among employees and third-party administrators.
Eight Steps to Help Prevent Cyber Crimes
The authors state that a complete cybersecurity strategy aims to protect employee benefit plan data by focusing resources on the following eight domains.
1. Cybersecurity Training
Make sure those involved in administering the trust fund are trained in cybersecurity. Focus on cyber threats, vulnerabilities and attacks; risk management; intrusion prevention and detection; incident response; and business continuity.
2. Frameworks and Standards
Apply a series of tests, such as a data-flow analysis, that comprise a thorough gap assessment.
3. Risk Assessment
Regularly schedule vulnerability assessments, penetration testing and data privacy assessments to secure your technology assets.
4. Governance
Have a management team skilled with audit processes and procedures; studied in relevant legislation; and savvy on how to close a breach, how to stop a threat and who to inform in case of an attack.
5. Security Operations
Employ a team that is up to date on the latest attack vectors to protect technology assets and prevent security breaches. The security operations team should maintain the network, including patching servers and hot fixes, and continually improve the perimeter of what is protected as threats evolve. This team is also charged with incident response, trained to address everything from hacked laptops to stolen hard drives.
6. Security Engineering
Whether your software is custom-built or vendor-provided, hire software architects to make sure the systems design of your network is sound, from identity management to security protocols. Vendor-provided software should also be confirmed to be following appropriate security protocols. If there is a hack, this team is also responsible for data forensics.
7. Cyber Plan (Including for Email and Social Media)
Email can introduce vulnerabilities when an employee sends work products to a personal address, and social media is a large attack surface allowing hackers access to people and information that can be used in social engineering attacks. Develop cybersecurity policies to limit threats. Two methods include ensuring appropriate password management and monitoring social media account activity.
8. Incident Response
Put systems and processes in place for a swift and safe resumption of operations in the instance of a cyber attack. Include an incident response plan that identifies roles and responsibilities; requisite notifications, including when reporting will be made to trustees and other third parties; critical functions (for example, the payment of benefits); and assurances that must be addressed before coming back online. All breaches should be documented, and major incidents should undergo a post-incident review.
“Cyber attacks continue to become more sophisticated and more automated,” the authors write. “For employee benefit plans, having a complete cybersecurity strategy is an increasingly necessary cost of doing business.”
[Related Reading: 6 Lessons Learned From a Ransomware Attack]
Want to Learn More About Building Your Cybersecurity Strategy?
Register now to attend the upcoming Fraud Prevention Institute for Employee Benefit Plans July 15-16, 2019 in Chicago, Illinois. The conference will uncover emerging trends in fraud prevention, share the latest in cybersecurity and deterrence of data breaches, and provide instructive guidance for internal controls and risk prevention.
At the conference, “Securing Your Plan’s Valuable Information: 8 Steps That Prevent Cyber Break-In” author Bishara Rizek from BDO Canada will be presenting during the panel discussion “Best Practices in Fraud Prevention.”
Robbie Hartman, CEBS
Editor, Publications for the International Foundation
The latest from Word on Benefits: