The Next Cybersecurity Risk? Breached Benefits Plans

Cybersecurity Risks

Because benefits plans hold sensitive personal and financial data, cyberattacks on retirement, pension, and long-term benefits plans are becoming more common. Safeguarding this data means understanding the threat and creating policies to protect organizations and employees.

Data breaches are, unfortunately, becoming commonplace. As noted by CSO Online, the number of data breaches in the U.S. has increased 10 percent over the past five years, costing organizations an average of $3.86 million in mitigation fees, fines, lost business, and lost opportunities.

The good news? Finance leaders and IT professionals are now well aware of common cybersecurity risks, and enterprises are taking active steps to mitigate the impact of ransomware tools, malware infections and brute-force attacks. The not-so-good news? To avoid detection and bolster their profits, hackers are taking aim at a new target: staff benefits plans.

What happens if attackers breach the network? More importantly, what steps can financial decision-makers take to safeguard critical employee data?

The new risk

Why are attackers opting for benefits data? Because it's valuable to staff and employers alike. According to Financial Times, 401(k) accounts in the U.S. hold more than $6 trillion total, making retirement accounts a fruitful area for cyberattacks. For one Massachusetts woman, thieves managed to withdraw $200,000 from her retirement account. The investigation of this cyberattack uncovered a vast cyberattack scheme aimed at benefits plans.

Because benefits plans hold sensitive personal and financial data, cyberattacks on retirement, pension, and long-term benefits plans are becoming more common. Despite this uptick, though, there is currently "no comprehensive federal statute specifically addressing retirement plan cybersecurity obligations," according to the Society for Human Resource Management. Companies and individuals are left responsible for setting their own cybersecurity measures for their benefits plans, which can leave that data vulnerable if these measures aren't executed properly.

Legal liability

So what happens if attackers manage to breach benefits systems? According to the National Law Review, the Employee Reitrement Income Security Act of 1974 doesn't require plan sponsors to protect participants' digital data. But it does stipulate that sponsors must administer their plans with the, "care, skill, prudence, and diligence under the circumstances that a prudent man acting in a like capacity and familiar with such matters would use." It's not a stretch to include safeguarding against cybersecurity risks as part of this "prudence."

Along with potential legal challenges, finance leaders also face significant monetary loss. According to HIPAA Journal, HIPAA violations can cost organizations up to $50,000 per violation. With thousands—or even millions—of patient records moving through organizations each year, the potential cost of a HIPAA violation can skyrocket quickly. Since employee data often does double duty for health care and retirement plans, organizations could face large fines if hackers slip through network defenses. Next up is the actual cost of repaying any benefits money lost to hackers, along with the damage to public reputation if employees discover that their hard-earned retirement funds are suddenly missing.

Better protection

Safeguarding benefits data from hackers isn't a quick fix, but isn't impossible, either. Strategies to boost benefits defense include:

  • Drafting better policy: Policy is critical to dealing with any cyberattack. Finance leaders should draft specific policy that lays out how data will be safeguarded (think encryption for starters) and what should happen, step by step, after an attack.
  • Addressing third-party problems: Third-party solutions offer utility but also come with risk. Make sure that any cloud-based services, software tools and external IT services have robust cybersecurity safeguards in place.
  • Factoring up: User names and passwords can be easily hacked; both phishing and brute-force attacks are regularly successful. Increase benefits-plan security with two-factor authentication, which requires employees to provide one-time text codes or USB tokens for access.
  • Buying reliable backups: The grocery workers union didn't comply with hacker demands because benefits data was securely stored on a backup server. Finance leaders should ensure that retirement plan data is treated with the same care and respect as any other mission-critical information and stored on redundant cloud backups in case of emergency.
  • Doing your due diligence: Because it's impossible to prevent every cyberattack, government agencies and regulatory bodies aren't looking for perfection. Instead, the mandate here is "due diligence." If benefits data can be better secured against cybersecurity risks, it should be. Organizations willing to craft good policy, address outside problems and implement better controls must still deal with remediation challenges after an attack, but they won't face additional penalties.

Benefits plans are next on the list for cybercriminals. Finance leaders must develop better defenses to meet the challenge head on.

To learn more about staying up to date on modern cybersecurity measures, read Ongoing and Changing Security Needs in the New Normal.

Learn about our committment to payroll and data security by visiting ADP.com/trust.