Breaches cause an immense headache for businesses, not to mention the financial toll they can take due to damage control and loss of business. The government has tried to help prevent such breaches through laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and PCI Data Security Standard. They provide guidelines for how to handle, store, and protect sensitive information. Lately, cyber security risk has become an important factor for plan sponsors.
Historically, most employers have only worried about HIPAA and the privacy and security for health plans. ERISA does, though, require that a plan sponsor protects the confidentiality of personal information. Even without regulation, it is in a company’s best interest to avoid a data breach if possible.
Pension Plan Data Breaches
Pension plans can create quite a security risk for sponsors. There have been many pension plan data breaches, as identified by the American Institute of Certified Public Accountants (AICPA). Some examples are:
- Database hacking due to failure of plan to install security system updates
- Virus planted to steal login information that was then used to change recipients of disbursements
- Employee downloading confidential information to a home computer
- Unauthorized login to a broker website that resulted in payments being sent to the wrong person
- Email phishing that lured participants into sharing personal data
- Personal information being stolen from laptops
With so much information online and sharing between plan sponsors and vendors, there are innumerable opportunities for cyber-attacks.
Cyber Security Insurance
While there is insurance available for cyber security, it tends to be expensive and the terms vary. If you are considering cybersecurity insurance, make sure to review the terms and coverage. Not everything may be covered.
Data breaches caused by cyber-attacks can cost companies millions of dollars. Here are some potential expenses and losses to watch for:
- State law penalties
- Regulatory compliance and fines
- Costs related to breach notifications
- Post-breach employee protection
- Communications to the public and employees about the event
- Attorney fees and litigation costs
- Operational disruptions
- Cybersecurity improvement expenses
- Technical investigations
- Increased insurance premiums
- Public relations image costs
- Loss of profits
- Negative impacts on employee relations, especially collective bargaining units
- Loss of intellectual property
- Devaluation of business reputation
How Can Plan Sponsors Minimize This Risk?
Conduct Due Diligence
First, complete a risk analysis for the plan. The plan sponsor should have cyber security policies and procedures in place and all employees should be well trained in them. There should be consequences in place to ensure that all employees follow proper procedures.
A thorough analysis will identify:
- Every party with access to retirement plan data
- Every piece of equipment that may contain personal identification information (with a plan for regular inventory)
- Which vendors need which data
- Protocols used to transfer files and data to vendors and their security
- Any insurance and coverage limits
Verify Vendor Security
Plan sponsors also need to do their research regarding vendors. Here are some important questions to ask:
- Do they have a comprehensive and understandable cyber security program?
- How will the plan data be maintained and protected?
- When and how will the data by encrypted?
- What liability will they assume for breaches and what are their procedures in such cases?
- How and when will they notify plan sponsors if their systems are breached?
- Do they provide regular reports on their security risk analysis and monitoring?
- What level and type of insurance do they have?
- How do security procedures apply to their subcontractors?
- How well do they screen their employees?
Protect Your Retirement Plan
Are you set up to protect your plan and your employees’ information? Many plan sponsors are behind in securing their participants’ information. In addition, they just don’t have the knowledge or time to do a sufficient job of protecting against cyber-attacks. PlanPILOT can help by offering consulting services, as well as improving cyber security for the personal data you collect and store.
Call us today at (312) 973-4911 or email info@planpilot.com to see how we can help your clients protect their retirement plans against cyber security risks.