Employee benefit plans are a common perk for many organizations. They are often seen as a necessary employee benefit, but they also come with a strong need for compliance. Specifically, ERISA-covered group health plans and retirement plans can be subject to HIPAA privacy and security laws, assurance and audit requirements and more.
Cybersecurity is often not a focus for many organizations’ employee benefit plans. After all, what would a cybercriminal want with an employee benefit plan?
ERISA-covered plans are a prime target for cybercrime. They are storehouse of personal data on participants, including Social Security numbers and a variety of other personally identifiable information. This makes them ripe for identity theft as well as a host of other potential cyber scenarios.
Here are just a few of the cyber risks that can impact employee benefit plans:
Employee benefit plan fiduciaries have an obligation to prepare for and mitigate potential cybersecurity risks. This is critical to protecting participant information and building a strong culture of security within the organization.
The U.S. Department of Labor’s Employee Benefits Security Administration recommends the following cybersecurity guidance when it comes to private retirement plans:
These best practices should be utilized by recordkeepers and services providers who have responsibilities for plan-related IT systems and data.
Cybersecurity is a necessary component of your organization’s strategy.
The best practices issued by the Employee Benefits Security Administration should also be used by plan fiduciaries when choosing third-party service providers to help with their plans. After all, these service providers are trusted to maintain plan records and keep track of confidential participant data. It is essential plan sponsors and service providers alike follow strong cybersecurity practices.
Here are a few recommendations when looking at third-party services providers for your employee benefit plans.
A third-party service provider is a direct link to your plan and its information. It’s important both the plan fiduciaries and the service providers are adhering to cybersecurity plans and incident response policies.
Setting up a proactive cybersecurity plan and ensuring proper vetting of service providers are essential steps for plan providers. However, there are also steps plan participants can take to reduce the risk of fraud and loss.
Routinely monitor online accounts
Regularly checking retirement accounts through an online portal can help limit the opportunity for fraudulent activity. Those who don’t set up their online account have the potential for cyber attackers to take over the participant’s online identity.
Update and maintain strong and unique passwords
There are lots of tips to help create strong passwords. However, one of the biggest ones is to create unique passwords and regularly change them out (every 120 days is a good rule). And never write the password down.
Enable multi-factor authentication
This requires two credentials in order verify your identity. For instance, a password and a code delivered to your email or via text message.
Regularly update your contact information
By keeping your contact information updated, you can be immediately contacted if there’s a problem. Also, remove old information and accounts so you only have online accounts that are current.
Watch for phishing attacks
Always pay close attention to the emails you receive and the links you click on. Phishing messages often look like they come from trusted organizations but are just opportunities to lure you into passing along confidential information.
The more information we hold online, the more opportunity there is for a cyber breach to occur. Often, it’s not a matter of if it will happen, but when. There are steps you can take to help lower the risk of a cyber incident or lessen the impact should one occur.
It all begins with a culture of cybersecurity in your organization. Employee benefit plans are a perfect example of how cyber risk impacts everything you do. The more you can create proactive processes and plans to protect from a breach, the more likely you will be to lessen its impact. By creating and activating an incident response plan, you can efficiently identify, respond to, and contain an incident when one occurs.
Building a culture of security is not only necessary, it’s vital. Eide Bailly is a trusted third-party service provider for all your employee benefit plan needs. Here’s how we can help you get started.