By: Robert Faust, Principal
We have all heard the saying, “It’s not a matter of if you will get hacked, but a matter of when you will get hacked.”
With the attention and focus on your customers and vendors, have you overlooked your own employees and the sponsored benefit plans you provide for them? Hackers are no longer focused on any specific industry or group of companies. They are mainly concerned with gaining access to a large pool of sensitive information that can be held as collateral for monetary gain. As of 2018, there was estimated to be $9.3 trillion of covered assets in nearly 34 million defined benefit plans and 106 million defined contribution plans. These figures seem to present a giant bullseye for would-be hackers.
Many may think, “We use third-party service providers for our payroll, recordkeeping, custodial services and administration, so we have nothing to worry about.” But using these third-party providers does not eliminate your fiduciary responsibility to protect employee and plan data. Do you know all the providers currently serving your sponsored benefit plans, and have you taken the appropriate steps in ensuring your data is protected? When evaluating if your providers have strong cybersecurity practices, there are several key things to remember:
- Ask if the service provider has formal information security standards, practices and policies. Have these practices been tested and/or audited, and what were the results of such audits? Providers with recurring annual audit reports that verify data processing and security will provide you with more confidence in the security of your information.
- Review and evaluate the service provider’s history within the industry, including a review of any public knowledge regarding past legal proceedings and/or security incidents.
- Determine if your providers have any insurance policies that would help cover losses in the event of cybersecurity or data breaches, which could include misconduct by the service provider’s own employees or by external hacking of participants’ accounts.
- Review the contracts you have in place with your providers. Is there any wording present in them that would lead to limited liability in such security events? If possible, try to include clauses or wording that would enhance protection for the plan and its participants. Such language may include:
- Required annual security audit performed by a third-party provider.
- Clearly defined provisions around the privacy of information provided to and maintained by such providers and their requirement to meet all federal, state and local laws around privacy and security participants’ personal information.
- Clearly identified communication process in the event of any cyber incident or breach. Additionally, cooperation of the provider in any investigation should be guaranteed.
Of course, not all the burden of the security and safety of your plan and participant data can be placed on your third-party providers. There are numerous access points that hackers focus on when attempting to gain access to information, and the first line of defense is your own employees. Your employees have access to your providers’ sites, they may send and/or receive sensitive information via email, and they may not understand all the implications of such cyber issues. Below are a few steps you can take to get your cybersecurity off on the right foot.
- Require the use of multifactor authentication. This is a second form of authentication that verifies your identity when your employees attempt to log in to a system, site or software.
- Provide recurring annual cybersecurity training for all your employees. With the speed at which attacks are happening and changing, this continued training will provide new information and trends that are occurring in practice. Unfortunately, it only takes one person to let their guard down for a breach to occur.
- To complement the ongoing training, perform random security testing. This is the best way to keep your employees alert and could include simulated emails, phone calls or other forms of communication.
- Ensure your systems and data are backed up and you have a functioning backup / recovery policy in place. This will help to limit disruptions should you encounter a cyber issue.
- Just as you would like your service providers to have cybersecurity insurance, it is important for your company to have the same financial protection. This usually also provides you with access to expertise you may not have had otherwise.
Yes, the axiom, “It’s not a matter of if you will get hacked, but a matter of when you will get hacked,” may be true, but you should not ignore the issue. There are some simple items you can focus on to make your company, plan and participant data more secure.
Hancock Askew has extensive experience with employee benefit plan (EBP) audits and conducts over 100 audits annually for plans ranging from 100 participants to 30,000. For more information, please contact Robert Faust in our Atlanta office at (678) 992-1505 or reach us via our website.
Based in Georgia and Florida, Hancock Askew & Co. is a full-service tax, audit, accounting and advisory firm with more than 200 professionals. Hancock Askew also provides services such as ERISA audit and consulting, internal audit, IT risk assurance, SOC examinations, transaction advisory, business valuations and other advisory services.