Don’t lie – have you ever “Googled” yourself? You know, typed your name into the Google search engine just to see what information is out there about you? If you have, you know how easy it is for a complete stranger to access some very personal information with limited knowledge. We’ve all heard stories of someone’s grandmother, neighbor, or friend falling for a cyber scam. Some common ones include clicking on a malicious link, accidentally downloading viruses, or sending out confidential financial information to a hacker masquerading as the IRS or Microsoft. Living in a fast paced and digital world it is all too easy to fall prey to such tactics. Did you know that companies can be vulnerable to the same kind of threats?
We trust our employers to take as much care protecting our personal information as we would; but what about all the other advisors and providers involved in day-to-day support activities for outsourced services? For example, payroll, health insurance, and retirement benefits are frequently subcontracted through third parties. With cybersecurity attacks on the rise it is imperative to review all aspects of an organization, including those that are outsourced.
According to a US Department of Labor report, there are over $9.3 trillion in retirement assets. Benefit plans are a particular target of cyberattacks as they allow direct access to monetary funds and valuable personal information to hackers. Cybercriminals have found accessing benefit databases allow for consolidated access to Social Security numbers, bank information, healthcare files and employment history. Since employee benefit plans are frequently outsourced, there are many potential weak spots that are vulnerable to attack. A sponsor should be fully aware of weak links and how it affects their employees’ retirement savings. Especially since online attacks come with a large price tag, both monetarily and otherwise. Beyond funds being directly stolen by hackers, companies also face the risk of fines from governing agencies and loss of public trust.
Regardless of size, all entities face some level of risk. Some of the most common threats are:
- Rogue insider. Unfortunately, not all who have access to secure information use their access responsibly. They may sell or fraudulently use the personal data they have access to. Employee benefit plans are a common target of identity thieves.
- Social Engineering. Social engineering is using human psychology against people to trick them into giving up confidential information. Cybercriminals exploit employees’ natural tendencies to trust others. That is why they will often use an email address that is identical to someone in management or from an outside firm that they work with. They will ask for the password to a secure site or something similar. This method is quite common because it does not require advanced computer skills, only a general knowledge of company structure and human psychology.
- Ransomware. Unlike the other methods of cyber invasion, this tactic is usually spotted quickly because a criminal will encrypt a hard drive and only release it upon payment. It is becoming more frequent because payment is usually immediate after the attack.
Strong internal controls and IT security are only the beginning steps to protecting benefit plan information. Here are some recommendations for protecting such vital data:
- Begin behavioral monitoring of accounts. Behavioral monitoring entails noticing when a user is logging in at an odd time and/or moving odd amounts. It can be the first sign of an intrusion or that someone is a rogue insider.
- Have a documented incident response plan for threats. The plan should include how to address breaches when they incur and how to communicate the breach to those affected. It is crucial that the plan includes a course of action for handling actual breaches, as well as, potential ones that were thwarted.
- Provide training for participants. Making employees aware of potential threats and how to combat them are a key component of cybersecurity. Participants should be reminded not to give out passwords over email, and to be mindful of the risk of clicking links from unknown sources. They should also be cautioned to reconsider who is requesting personal identifying information. Encourage employees to consider why someone may be asking for confidential information.
- Review your technology environment. Since technology and digital security are always evolving, one should consider bringing in outside expertise to fully evaluate the technology environment and what risks may be present.
- Maintain up-to-date insurance policies. As another safeguard, a plan sponsor could investigate purchasing an insurance plan to protect against hackers and stolen information.
As Lady Gaga said, “trust is like a mirror, you can fix it if it’s broken, but you can still see the crack”. The ramifications of a breach are long-lasting and can be costly. While remediable, those affected lose confidence in their trusted advisor’s ability to guard valuable personal data. Due to employee benefit plans becoming a common target of hackers, the AICPA and other regulatory agencies continue to develop frameworks to guide organizations and CPAs regarding digital security threats. This guidance, combined with an organization’s due diligence and risk management efforts, will serve as a critical step in the prevention of a major breach.