Cybercrime and Employee Benefit Plans

3 minute read

Every day, news headlines are filled with stories of data breaches and cyberattacks. Unfortunately, even employee benefits plans are not immune to these threats. In fact, they are especially vulnerable. With organizations and benefits providers relying heavily on electronic access, new vulnerabilities are constantly being created.

In 2022, cybercrime caused $6 trillion dollars in damages. Cyberthreats include phishing, ransomware, and malware attacks.

Risks

Retirement, savings, health plans, and any other type of employee benefit plan is vulnerable to hackers. These types of plans can be exposed to privacy, security, and fraud risks. They are at risk due to:

• Personal identifiable information including Social Security numbers, email addresses, and birth dates. Since this information is permanently associated to an individual, it can be misused over a long period of time.
• Financial information including direct deposit information, compensation, enrollment data, and account balances. These accounts can be targeted to request loans, withdrawals, and distributions.
• Many benefit plans are connected to other service providers or vendors. This includes those that offer vision, dental, health insurance, retirement plans, and more.

Consequences

When a cyberattack occurs, there are consequences for all parties involved. Consider the following:

• Significant expenses may be involved in detecting the extent of the breach, conducting investigations, managing incident responses, recovering compromised data, and restoring the integrity of the entire system
• Monetary losses may occur to participants, the plan, or service providers if personally identifiable information is stolen
• If a security breach occurs, organizations may face operational disruption and damage to their reputation. Both may require additional costs to fix.
• Penalties or fines may occur if health plan information is released, and it violates federal laws

Mitigate Risks

Employees working remote must understand cyber threats and how to protect sensitive organization and employee information. To mitigate risks, consider the following measures:

• To protect and control data, it's important to properly monitor and maintain up-to- date technology. Vulnerabilities can be determined by conducting a gap analysis, penetration testing, or other assessments.
• Educate employees on how to handle personal data. Discuss things like passwords, locking computers, and opening questionable emails or attachments.

To shift cyber risks:

• Review contracts. Employers should review and understand what their policy covers and determine if they are appropriately covered or if additional coverage is needed.
• Obtain comprehensive insurance policies. Cyber liability insurance can cover financial losses that result from cyber incidents. Most policies cover first and third-party liability coverages. For those organizations without coverage, they may want to investigate a policy to protect their data and their employees.

With many employees working from remotely, plan sponsors may want to consider updating work-from-home policies to include cybersecurity clauses.

Other Considerations

Open enrollment may be a good time for employers to review their technology policies, contracts, insurance, and other coverages. All parties involved should have adequate data protection strategies in place. In case of a cyberattack, employers should have a basic communication and action plan to protect and restore things quickly and appropriately. Download the bulletin for more details.

¹ https://dataprot.net/statistics/cybercrime-statistics/

Additional Resource

Cyber Liability Risk Scorecard