Managing Cybersecurity Risks: 5 Steps to Protect Your Employee Benefit Plan NOW

News stories of large corporations becoming victims of cyber attacks have become ubiquitous. And while it may seem that large corporations are easy targets because of their size and significant data, employee benefit plans can just as easily be at risk of a cyber-attack. The combination of working with multiple people in your own company, 3rd party providers, internal auditors, and more, creates the need for greater awareness and better data security controls around cybersecurity.

Specific ERISA Duties

Under The Employee Retirement Income Security Act (ERISA), plan sponsors have certain duties related to the impact that a cyber-attack or data breach could have on plan participants and beneficiaries – specifically, response and recovery from an attack. This involves anticipating critical actions and decisions before an attack occurs, not during or after the attack. This makes it is critical to developing a strategy that minimizes your plan’s exposure to cyber-attacks and other cybersecurity risks.

Any cybersecurity plan related to employee benefit plans should be a subset of your company’s overall cybersecurity strategy and should serve to primarily promote the strategic goals and objectives of the business as it relates to data security and information systems governance. There may be unique cybersecurity challenges that your organization faces when it comes to employee benefit plans, but any such policies, standards, or procedures should be recognized as in-line with the organization’s overall information security posture and should align and integrate with other existing plans.

When formulating your plan’s cybersecurity strategy, after obtaining sponsorship from senior management, you should first identify the most critical data assets to protect, the ownership of that data within the company (data custodian), and what would be the greatest threats to this data. Once you’ve identified the data, ownership, and threats, develop your strategy to minimize the risks associated with any of these threats and the course of action to take if there is a breach or attack.

Start by asking these five questions:

1. What data needs to be protected and who owns the data? Participant data files contain sensitive, personally identifiable information such as participants’ names, Social Security numbers, birthdates, bank account information and account balances. They also contain protected health information such as medical claims. Who in your organization owns the data that requires protection? Identifying the data owner is the first step in planning for classification, access, and monitoring of that data. Without identified ownership of the data on corporate networks, there is no established accountability for access to and management of the data.

2. Where is the data stored and who has access? At this point in the process, you should involve IT management to best process through answering this question. Participant data may be retained by multiple parties, including third-party administrators, custodians, actuaries, auditors, and trustees. You should determine every location where data could be held and the retention periods for each, then ensure all parties storage data meet strict security requirements. The data security requirements for 3rd parties should match or exceed the requirements imposed at your own organization. It may be appropriate to request information security audit reports from 3rd party providers to assess the maturity of their policies and controls regarding information security.

3. What are the greatest threats to this data? Not only should you determine the threats and loss exposure for your company, but you should think about any outsiders that might be interested in the data contained in documents related to your plan. For example, data could be stolen and sold to the highest bidder or cybercriminals could freeze your computer systems until you pay a ransom (known as ransomware). Today’s threats are dynamic, coming from email, the Internet, social media and newly created software viruses daily.

4. How is the data accessed and is it properly controlled? Once the location and threats to your data have been identified, work with your information security support team to make sure the proper security controls have been put in place. Sometimes, plan administrative systems are linked to unrelated systems that can open the door to hackers while data is in transit. To maintain the confidentiality and integrity of sensitive data, it should be encrypted both at rest (when no one is currently accessing it) and in transit (when it is being copied or moved to another location physically or electronically).

5. What data needs to be retained? Retention policies help dictate the length of time and reasoning data should be retained. Not all the data stored is needed to support your plan or execute tasks. Understanding any compliance regulations for your business or industry is a key component in determining the configuration of appropriate retention policies. Seek advice from executive leadership in your organization, legal counsel or from industry veterans if you’re unsure about how to create a proper retention policy and plan.

Find the Right Balance

As the plan fiduciary, you must determine the appropriate level of cybersecurity prevention given the scope of the threat, potential loss exposure and cost of taking preventative action. Here are a few things to consider in devising an appropriate cybersecurity risk management strategy for your plan:

  • Available resources: Do you have cybersecurity prevention resources available internally or do you need to invest in external resources and tools?
  • Strategy integration: Can your strategy be integrated with the rest of your organization and, if so, what are the cost-sharing protocols?
  • Implementation costs: Cost will be a major factor in your strategy, but you also need to consider the potential cost if a major cyber-attack or data security breach does occur.
  • Cyber insurance: This type of insurance typically covers third-party damage and defense costs as well as first-party coverage. Here, you wouldn’t have to wait for a third-party to sue the plan; instead, coverage is triggered as soon as a data breach occurs.
  • Contracts with service providers: Third-party administrators and other service providers with access to participant data are a possible source of data breaches. Be sure to ask detailed questions about their own cybersecurity risk management strategy.

You can also request a System and Organization Controls (SOC) for Cybersecurity Report from plan record keepers and custodians. This SOC report contains detailed information and assurances about controls affecting the security and integrity of the systems used to process data, as well as the privacy of the data handled by these systems.


Not If, But When

Many cybersecurity experts say it’s not a matter of if a cyber-attack will occur, but when. Therefore, you should be proactive when it comes to managing plan data to minimize exposure to cybersecurity threats—both now and in the future.

About the Authors

Bryan M. Smith
Bryan M. Smith
Director of IT, Information Systems
James E. Merklin
James E. Merklin
Partner, Assurance and Advisory


Stay up-to-date with the latest news and information delivered to your inbox.

Subscribe Now