Is Your Employee Benefit Plan at Risk?

January 7, 2019

Is Your Employee Benefit Plan at Risk?

Check your favorite news app for the latest headlines and you’re likely to find stories involving privacy risks, cyberattacks and fraud.  While many security breaches involve personal accounts, employee benefit plans can have just as much exposure to such an attack.  According to the AICPA Employee Benefit Plan Audit Quality Center, the following provides examples of cyber threats to benefit plans, as well as the responsibilities of plan fiduciaries and effective practices and policies to protect against cyberattacks. 

What Kind of Cyber Threats are Out There?
“Phishing” – this is a fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.  This technique can be used to obtain logon credentials and passwords to gain access to online participant account information and request loan or distributions, redirect benefits to another account, or create fraudulent health claims.

Socially engineered malware (“SEM”) – this is a growing threat that can be done using several methods in which malicious software is inadvertently downloaded.  An end-user can be tricked into running a program, often from a website they trust and frequently visit; however, the website is temporarily compromised to deliver malware instead of the normal website coding.

Cyber criminals – there are individuals or teams of people who use technology to commit malicious activities on digital systems or networks with the intention of stealing.  These individuals use employee’s personal information and set up web profiles that allow them to take out loans for individual participant accounts. 

Ransomware attacks – these attacks can be carried out through some of the techniques identified previously.  Through these attacks, cyber criminals encrypt and seize an entire hard drive, only releasing it in exchange for a ransom.

Loss or theft – this can include mobile devices, laptops, and flash drives with personal data, and personal information transmitted via unsecured email or portals. 

Your Responsibilities as a Plan Fiduciary
Plan administrators and those charged with governance have a fiduciary duty under the Employee Retirement Income Security Act (ERISA) with respect to the management of the plan.  These duties include acting solely in the interest of plan participants and their beneficiaries while providing benefits to them, carrying out these duties prudently, administering the plan in accordance with the plan document, diversifying plan investments and paying reasonable plan expenses.   

The Department of Labor (DOL) ERISA Advisory Council issued a report called Cybersecurity Considerations for Benefit Plans.  Within this report the DOL Advisory Council recommended the following actions:

  • The plan should establish procedures for how the sponsor, likely working with its service providers, will communicate with plan participants who may be anxious about the breach and protecting their data.
  • Sponsors should also have a process for determining how a breach will be corrected and what remedies will be used.
  • Sponsors should document both their overall process for responding to cybersecurity breaches and any steps they take in correcting an actual breach. This documentation will help show that they acted prudently in the face of the breach.
  • The Advisory Council stresses the need for plan sponsors to thoroughly vet their service providers and to negotiate contract provisions to lower or mitigate the costs of correcting a possible cyberattack on a plan.
  • Lastly, the Advisory Council encourages plan sponsors to review and understand the limitations of their business insurance coverage and consider cyber insurance to address possible coverage gaps.

Polices to Protect Against Cyberattacks
The DOL Advisory Council identified four major areas for effective practices and policies.

  • Data management to protect and control data.
  • Technology management by maintaining up-to-date technology.
  • Service provider management by performing due diligence on plan data security of service providers.
  • People issues by properly training and managing personnel.

Take Action Now
Many industry experts believe it is not a matter of if you are targeted for a cyberattack but when.  Taking the time now to put safeguards in place can help reduce the likelihood of a successful cyberattack against your Plan.

For more information regarding cyber threats to employee benefit plans, please contact a member of the Herbein employee benefit plan audit team, or email us at

Article written by Brian D. Jamnik.