United States

Cybersecurity risks to employee benefit plans


What if you logged into your benefit plan account and discovered a balance of zero? It’s not a market crash; a cybercriminal gained access to your account and wiped out your funds.

It sounds like an exaggeration, but it could happen. Increasingly, benefit plans are being targeted by hackers; this risk threatens plan administrators, participants, and third-party record-keepers and payroll providers. Many organizations feel they are too small to be targets, or that their third-party providers will be responsible or prevent any harm. This perception of safety, however, is unrealistic. Retirement and health and welfare plans are tempting targets for hackers, but there are steps that organizations can take to protect themselves, their plans and their participants.

Threats to companies

It is difficult to make risk management decisions without a realistic understanding of level of risk. Most of the high-profile hacking incidents of large, well-known companies are not the rule but the extreme exceptions. Based on an extensive data mining study of insurance claims for damages from cyber-related events, the vast majority of the claims (about 85 percent) are from companies with revenues under $2 billion. In fact, most of these companies generate under $300 million. Companies that rationalize their risk decisions by thinking they are too small to be targets are setting themselves up to be targets.

Technical issues such as hacking and malware make up less than 50 percent of the claims. Lost devices, misplaced paper records, staff mistakes and rogue employees, however, play roles in a large percentage of unauthorized breaches. Yet most companies discount these risks and focus their planning solely on technical defenses. The best risk strategies address both technical and nontechnical areas.

The stakes for companies can be high. More than $1 trillion in combined contributions and benefit payments flow through retirement plans every year in the United States. There is a lot at risk, and no employee benefit plan is immune, regardless of size, from hackers. Regulatory claims are becoming more onerous, with the average claim in the last year hovering around $6 million. Notifications telling participants what was lost are becoming more expensive as well.

Currently, the most common issue that companies are dealing with is ransomware and distributed denial of service (DDOS) attacks, which hackers use to deny organizations and participants access to their resources until a payment of some kind is made. Three years ago, the average ransomware cost was about $8,000; today, breaches can cost as much as $500,000 or more. Financial services and health care organizations have been the most susceptible to ransomware extortion.

Notably, about 25 percent of claims had some type of insider involvement, either by mistake or through intentional action. It’s worth noting that maliciously motivated insider events resulted in more expensive claims by a factor of four.

To make matters more egregious (and expensive), the fact that the incident occurred, or the factors that allowed the incident to spread, often reveals that a company’s deployed controls were not effective. Regulatory bodies alerted to an incident can declare such a company retroactively noncompliant, then fine it for the total period they feel it was in violation. Costs related to regulatory actions can be further exacerbated if an organization is required to participate in an ongoing assessment program at the organization’s expense.  

Threats to employees and plan participants

The three most common threat scenarios:

  • Social engineering, often through emails with links to fake websites, is on the rise because human nature makes this simple approach to unauthorized data access one of the most successful types of hacking. These deceptions are hitting benefit plans now, often through bogus requests for access, demands to move funds, appeals for contact or contract information, or other manipulations. These breaches are usually considered the company’s fault, unless it can be proven otherwise.
  • Using identity data stolen from other sources is another method used to access the benefit plan. Sources might include sites such as Equifax or Yahoo, where users often post identity content, or retail outlets where consumer information has been hacked.
  • Local infections on user systems are the most common type of breach by far. These systems may be lacking in firewalls and patches, and thus are vulnerable.

It’s worth noting that end users are most often hacked without the company’s involvement. The hacker is gaining access to the participant’s assets not by breaching the company, but breaching the user’s account directly.

Threats to third parties

Third-party breaches expose twice as many records on average as in-house incidents. Breaches of third parties were 13 percent of the total reported claims studied—that is, they lost a company’s data on the company’s behalf. These breaches can be very difficult and expensive to investigate.

Unfortunately, the lack of regulation and industry standards for cloud hosting and service providers makes it difficult to properly judge risk. Contrary to the U.S. government, which requires its providers be compliant with Federal Risk and Authorization Management Program standards, most industries do not have similar standards required of their providers.

Contract language for most providers often tries to push liability back onto the company (and its insurance company) and limit the company’s ability to participate in, or even know about, a security incident. The most common risks for third parties―technical risks within their apps, networks, platforms and the like—are typically difficult for companies to discover, as the third party must approve technical testing. This leaves companies few options other than to ask for independent third-party reports.

Recommendations for security

So what can companies do?

  • Ransomware and DDOS: For a variety of reasons, and despite plans to the contrary, most victims end up meeting ransom demands. To prepare for this eventuality, companies should already be set up to be able to make ransom payments. Payments are often required in cryptocurrency, to which many companies may not have access—this situation can extend system downtime, delay the payment and, as a result, often increase the amount of the ransom. In anticipation of having to pay a ransom, companies should open and maintain an account to minimize potential downtime. There are third parties who can help make payments as well.
  • Rogue insiders or user mistakes: There are limited options, but new tools and platforms that provide behavioral monitoring can, over time, alert management to system usage that is out of the norm. Alerts for users logging in at odd times, the movement of unusual amounts of data, significant amounts of cloud email and storage being utilized, or even resumes being updated and job sites visited might indicate internal problems.
  • Social engineering: Companies need to make sure they are rolling out security awareness training to everyone involved in administering and participating in the plans. Many employees simply do not understand the methods used in social engineering, and this makes them vulnerable to it. One way to ensure employees are engaged in the training is to present it as a way to defend their personal home systems. Do not excuse executives from this type of training; they are the most common targets and can be just as vulnerable. Communicate with employees and other participants. Let them know the sorts of things you will never ask; how they should contact you; how you will contact them regarding warnings of known phishing campaigns; the expected level of security they should have on their local systems. Make sure your responsibilities are covered, and offer training and security tools to users.
  • Incident response: A response plan is only as effective as the supporting components to make it work. Management should recognize when it is in over its head. The urge to try to manage it internally is overwhelming, but the appearance of delaying a response can cost companies in lawsuits and fines later. It also often leads to the destruction of evidence of the attack, but not the elimination of the hacker from the environment. Companies should do a triage to stop the attack from getting worse, then take their hands off the keyboards and call in the incident response team.
  • Technical reviews: Include the right to audit in third-party contracts, including technical reviews, then plan to use it. Not doing so could look like negligence, and could incur liability if the third party is breached.
  • Insurance: This is the last line of defense. Companies should not count on cyber insurance being covered under a general policy; it is often specifically stated that a separate, stand-alone policy is required for cyber incidents. Make sure the policy is covering the most common costs; DDOS and ransom payment incidents—among the most common and expensive—are often carved out of agreements. Management should make sure contracts cover fines and that the sublimits are reasonable.

Other basic security hygiene practices include voice verification, e-mail alerts on account activity, randomly generated security checks by test message or email, and access restrictions for unrecognized computers. These are conditions that companies and their third parties should be offering within their portals.

For more information on this topic, listen to the webcast


How can we help you with your benefit plan?

(* = Required fields)