Protect your employees’ retirement plans from hackers
by Crystal A. Skotedis
There was a day not so long ago when homeowners didn’t lock their doors. They trusted that no one would enter uninvited.
Likewise, many employers today blindly trust that the retirement plans they offer to employees – primarily 401(k) plans – are secure. There is a strong probability that computer hackers will enter uninvited and steal the plan participants’ personal information.
It isn’t a question of whether a security breach will occur. It is a matter of when.
Employers who sponsor retirement plans maintain large amounts of personal information that is accessible online to participants and routinely exchanged with and stored by third-party plan administrators. Employers providing employee benefit plans face three types of cyber risks:
- Employee Data: Much personal information is stored and transmitted to sponsor a retirement plan properly, often including the name and Social Security number of participants and their beneficiaries, amount of compensation, home address, email address, bank account number and birthdate. Employers should ask what information is being stored internally and transmitted externally and is all of it necessary? Share only the bare minimum required with benefit service providers. For example, an employee’s full Social Security number can be omitted from reports to enhance security. A cybersecurity expert can help determine how to safeguard sensitive data.
- Technology: Business technology can quickly become outdated and penetrated, allowing the interception of information. What are the company’s risks? For example, are the company’s server and Wi-Fi secure? What information is stored by service providers on the cloud? Limit personal information sent through email and opt for encrypted and secure systems. Again, we recommend consulting an expert.
- Service Providers: If you have outsourced the recordkeeping of your retirement plan, unfortunately you have not outsourced your risk. Any company providing a retirement plan, whether a one-person operation or an organization of any size, is required by U.S. Department of Labor and IRS regulations to keep employee data secure. What processes and procedures are in place to safeguard your employees’ personal information? When was the last time you asked your third-party administrator, investment advisor, asset custodian or auditor about their cyber controls?
Employers may believe they have considered all types of cyber risk to their company, but innocently overlook threats to employee benefit plans. Regulations stipulate a plan sponsor has an obligation to ensure its processes protect the confidentiality of personal information relating to individuals’ retirement accounts and benefits. Not only that, but it also makes good business sense to protect employees’ personal information as the cost of reacting to an attack far outweighs the internal time and costs in mitigating one through developing, implementing and monitoring processes to keep information safe.
Costs of a breach arise from:
- Detecting the extent of the breach
- Attempts to recover the data
- Restoring the system’s integrity
- Breach notification and credit monitoring
- Potential assessment of penalties under state and federal law for unauthorized disclosure of protected personal information
- Potential for civil claims by those affected
- Loss of productivity and stunted business growth during remediation
- Damage to reputation
- Loss of employees or clients
Each company’s cyber risk mitigation program is unique based on the type of benefits plans offered, how the data is maintained, stored and accessed, and the number of functions outsourced to third parties. An organization’s leaders must understand potential threats so they can make informed decisions on the type of cyber risk management program they need.
Questions to ask business’ benefit plan provider or third-party administrator (TPA)
Company leadership should ask the following questions before trusting current or potential service providers with employees’ data.
- Do you have a cybersecurity program to protect my employees’ data?
- Is information you send to me protected or encrypted? What is the most secure way that I may send information to you?
- How do you detect breaches? If you discover a breach, how do you respond? Do you assume any liability for breaches?
- May I review Service Organization Control (SOC) audit reports that address your cybersecurity controls and ability to maintain confidentiality? Because these reports will likely be highly technical, you may want to consult a cybersecurity expert.
7 key internal safeguards
Employers sponsoring benefit plans must be able to spot a variety of threats, including a hoax phone call or email message. Policies and training should focus on today’s hazards, the importance of keeping all information confidential and the company’s policies and procedures.
The employee who manages the company’s cybersecurity should be routinely:
- Identify the personal information stored.
- Analyze the risk of unauthorized access.
- Minimize the amount of personal data that is retained in-house and exchanged with service providers and participants.
- Implement a program to protect the personal information that is needed and used to administer the plan.
- Establish measures to detect when data has been inappropriately accessed.
- Ensure the ability to respond appropriately if a breach occurs and notify affected participants promptly.
- Prepare a plan for the organization to recover from an attack swiftly.
With assistance from a knowledgeable professional, leadership should assess both internal and external risks to the employee benefit plan, including the security of the third-party plan provider. They should monitor, test and regularly update technology and strongly consider hiring a computer consultant skilled at penetrating a company’s network and advising on best practices.
Hackers seem always to be one step ahead of the “good guys.” Knowledge, preparation, up-to-date technology and cyber insurance are vital to avoiding severe consequences in today’s business environment.
Crystal A. Skotedis, CPA, CFE, is a principal at Boyer & Ritter LLC, where she is co-chair of the firm’s Employee Benefit Plan Services Group and is knowledgeable on all standards and requirements under Employee Retirement Income Security Act and U.S. Department of Labor regulations. She also provides audit, accounting, tax and consulting services for a variety of clients and industry groups. Contact Crystal at 717-761-7210 or firstname.lastname@example.org.