How Benefit Plan Leaders Use Cybersecurity to Protect Participant Data

Published on July 1, 2019 by Joe Conover in Benefit Plan Audits

On June 13, 2019, Barnes Dennig and The Rinehart Sussli Financial Group of UBS hosted a group of experienced professionals for the sixteenth Annual Employee Benefit Plan Seminar. Given that retirement plans are a valuable tool for rewarding and attracting top talent, our goal is to help the business community stay up-to-date on the latest trends and regulations that may impact plan sponsors. The seminar included presentations on a wide variety of topics for Benefit Plan leaders.

As all of the topics covered are important for our businesses on a daily basis, we decided to expand upon each of them in a series of blogs. This first post will lay out Dennis Lamm’s insights on the state of cybersecurity in 2019.

Every day we go into work is another opportunity for our businesses to be attacked by unsuspecting hackers. These types of headlines have been driving many companies to look for ways to be a step ahead of the hackers and prevent any breaches of data. Dennis Lamm, the Senior Vice President of Customer Protection for Fidelity Investments, noted that the main cause of a breach in a company’s network stems from “phishing” emails that make it to the end users. These emails contain attachments, links to websites or boxes that ask for sensitive information from the end users. The consequences of having a breach in data could be disastrous for any business. Lamm informed us that public companies who have been attacked by cyber criminals have had a decrease in company stock between 25% – 40%. All positions of a company are subject to replacement as well, meaning if a breach was preventable, the CEO could be out of a job. For smaller companies, data breaches could put you out of business.

During the seminar, Lamm presented three best practices we can all exercise on a daily basis to better prepare ourselves against cyber-attacks, whether to prevent them or move on from them:

1. Protect your data
2. Protect your participants
3. Provide help

Protecting our data, as they relate to employee benefits, is important in many ways. Dealing with sensitive information, such as social security numbers and employee wages, requires attention to access and dissemination. As our businesses continue to evolve, certain tasks have become automated, which does allow for increased efficiency, but can put a company’s sensitive information at risk if not monitored correctly. Lamm stated that the most common way to lose data is through unsecured third-party vendors, who our businesses have voluntarily given access to. That is not to say third-party vendors (“TPAs”) are to blame for breaches in data, but completing our due diligence before contracting a TPA can save time, money, and stress. Lamm recommends we should keep in mind the following three best practices when considering programs that have access to our employee benefit plans by TPAs:

1. Strategic investment in cybersecurity, meaning how much do these institutions spend on cybersecurity. Per Deloitte: on average, a financial institution spends 0.3% of their revenue on cybersecurity, which equates to $2,300 per full time employee
2. Certified to industry best practices, such as an ISO 27001 certification
3. Independent assurance through third-party audits, which can be reviewed through SOC 1 reports

Protecting your participants, as they relate to employee benefits, is the next step to ensuring sensitive information is secure. As stated in the seminar, one out of every thousand participant accounts is compromised (keep in mind this is out of 1.5 billion accounts to choose from). This equates to 1.5 million accounts being hacked whenever a breach occurs. The reason this is so high is due to a global issue called credential stuffing. Lamm informed us that credential stuffing occurs when millions of accounts are stolen, and all the usernames and passwords are sold on the dark web. Subsequently, after a hacker pays for this information, the usernames and passwords are used to successfully log in to participant accounts and empty their accounts. Lamm presented a few ways we can detect and prevent any fraud that may introduce itself to us:

1. Anomaly detection, which means having the software detect any odd behaviors that may occur with participant accounts and locking them out
2. Multifactor authentication
3. Real time account alerts
4. Customer Protection Guarantee, which can reimburse participants for unauthorized activity that may have occurred through no fault of their own

Providing help, as it relates to employee benefits, can be helpful if your business or its employees has suffered a breach in data. Lamm offered a couple of questions we can ask our TPAs to better handle these cyber events:

1. Dedicated cyber fraud support, meaning to who or how the TPA is communicating any breaches in data to the business or the employees directly. Depending on the size of the breach, has the FBI been informed?
2. Plan-specific protection recommendations

In conclusion, Lamm laid out seven key areas we can train our end users in to safeguard our businesses and employees:

1. Maintain unique passwords on all logins attempts, which also means not repeating old passwords
2. Activate two factor authentication for all financial service corporations and emails
3. DO NOT CLICK ON PHISHING ATTEMPTS
4. Use secure devices and networks, which also means avoiding shared PC’s and public networks as much as possible
5. Consistently backing up the company data
6. Securing your personal and business cell phone account – Hackers have been getting cleverer by attacking cell phone accounts. As we all rely on our cellphones for daily business activities, such as checking emails or talking to clients, and personal affairs, such as social media, our information is at the mercy of our cell phone accounts. By not securing our cell phone accounts, hackers can do the following to our phones:
   a. Phone porting – This is done by contacting the original phone company and asking to switch to a new company and change services from the old phone to a new phone
   b. SIM swapping – This is done by contacting the phone company to switch services to new phone, essentially rendering the old phone useless outside of a Wi-Fi network
7. Put your credit on ice – Lamm refers to freezing your credit accounts when they have been compromised

Lamm taught us many ways to keep our businesses secure in efforts to stave off cyber-attacks. In our next blog, we will learn from Catherine Dunwoodie about ways to attract and retain talented employees.

Additional Resources:

Watch the full recording of the 2019 Retirement plan Symposium here.

If you have questions about employee benefit plans, cybersecurity, SOC reports, or anything else discussed during the seminar, contact us here. We’ll put you in touch with a specialist who can answer your questions.

---