Skip to content

On-Demand: In Your Corner | Benefit Plan Cybersecurity & Risks Surrounding Remote Employees

Mar 9, 2021

Our panelists discussed the importance of cybersecurity for employee benefit plans along with the risks of a remote workforce.


Kriste DeAngelo:Good afternoon, everyone. Good morning, for those folks that are logged on on our West Coast. Welcome to the second part of our employee benefit plan series, Benefit Plan Cybersecurity and Risks Surrounding Remote Employees.

Kriste DeAngelo:Before we begin, I'd like to do a quick introduction of our speakers. I'm Kriste Naples-DeAngelo, I'm a partner in the EisnerAmper Pension Service Group. I have with me today Greg Fritsky and Kevin Nardone who is a director in our private services group who specializes in employee benefit plan audits.

We do have a lot of material today that we're going to try and cover. So I'd like to jump right into our program. Today, our learning objections will be to try and recognize common threats and identity risks related to cybersecurity surrounding employee benefit plans. But this doesn't really apply just to benefit plans. This is within your company's environment as well but we're going to try and focus strictly on employee benefit plans.

Hopefully, you'll be able to identify who is at risk to cybersecurity breaches and common threats, identify fiduciary responsibilities related to pension plans and cybersecurity. We're going to talk a little bit about what a plan sponsor can do to prevent, detect, and respond to a cybersecurity incident or breach should it occur and it would be remiss if we didn't include this in our presentation, but we're going to talk about identify and responding to the risks of a remote workforce which most of us are in at the moment. And then lastly, we're going to talk a little bit about cybersecurity insurance.

I've been auditing benefit plans for probably close to 25 years. I can tell you that based on my experience, there really is a misconception, I believe, among many plan sponsors that their benefit plans are really at low risk. I think the reason some of them feel this way is because so much, if not all, of the activity and the basic operation of the benefit plans are outsourced. As a result, I think the benefit plans are often overlooked.

My first question is to Kevin and that is, Kevin, why do you think benefit plans are at risk for breaches?

Kevin Nardone:Thank you, Kriste, and good morning or good afternoon, everyone. Thanks for joining us today.

Kriste, to get to your question I think that when we are assessing whether employee benefit plans are susceptible to cybersecurity breaches or incidents, I really think that there's two factors that you need to contemplate and consider. You did mention the pervasive outsourcing of operations and activities related to administering employee benefit plans so it's important to take a look at this.

On our slide here if you consider all of the parties that have access to information surrounding employee benefit plans as a result of this outsourcing and even the channels of communications required between these parties, these communications they're all highly electronic and executed through various internet connections and networks especially now that we're all working in a remote environment.

Plan sponsors, custodians, record keepers, third party administrators, actuaries, and payroll providers are among those involved in the communication process and the management of operations for employee benefit plans. All of these parties are receiving and delivering information in the administration of the plans.

If you think about it, a breach or incident can occur at any of these service providers which increases the risk or likelihood of such a breach or incident. Should a breach or incident occur, it could result in a plan sponsor being required to make the plan hold for any losses that occur and communications to participants or employees regardless of where this incident or breach originated.

I think the second factor that you need to consider is the information that's shared between all of these parties. Almost all of it is sensitive personal information. As we spoke about, this information is shared between multiple parties over various internet connections, networks, and platforms.

Some examples of this information that's shared to administer plan operations includes participant and beneficiary names, dates of birth and hire, social security numbers, addresses, and account balances. In some circumstances, information protected by HIPAA laws is shared between parties as well and this is common if your company sponsors a health and welfare plan.

It's important to realize that in these situations, not only is the personal information of your employees retained but also personal information of beneficiaries and family members or spouses as well since most of the time they're involved in these employee benefits.

I think all of us can agree that if we were aware of companies or parties holding on to this information and executing benefits or services on our behalf, we would all want to make sure that they were exercising caution in maintaining and communicating this information to service providers as well.

Kriste DeAngelo:These are all great points, Kevin. And we certainly can say that there's a lot of hands that touch benefit plans and a lot of personal information that a cybercriminal could potentially want.

But one of the things that I've heard from many plan sponsors is they often will say, "My company or my plan is too small to worry about this." They really believe that they're not a target. This question is to, actually, both Kevin and Greg. Is there any organization, company, or plan that you think is too small to worry about a cybersecurity attack?

Greg Fritsky:Yeah, I can actually start with that. I would say size really doesn't matter here. This is everyone's problem. The challenge here essentially it's a risk-based consideration.

If your organization is financial information, healthcare information is very susceptible to these types of hacks. This is a value to people who are trying to get that information. It really comes down to not the size necessarily but the data that you have and you house and you have a responsibility to protect that. I would say that that really doesn't matter what size.

Kevin, I don't know if you care to comment.

Kevin Nardone:Yeah, absolutely. I think that everyone's first response is, "Well, this doesn't really affect me," or, "We only have a few employees," or "This is covered. This has to be covered by our service providers." But in short, the answer's no. There's no organization, company, or plan that's too small and doesn't have to worry about the potential of a breach or an incident.

I guess, technically, you should only be concerned if you're not already aware of the risks and prepared to address them but you should definitely make sure that this is part of your consideration when you're administering your employee benefit plans.

Any company that has access to personal information or confidential information is at risk for exposure. We've seen that increasingly over the last few years. Cybersecurity has been identified as a top economic and national security challenge and what we've been seeing in a lot of our clients is it's really been the focus of many company boards, audit committees, and governance professionals as we have listed on the slide here. I know it seems like we've almost become used to hearing about that and security breaches. We hear about it every day but it's important to make sure that we're continuing to consider this and that we're addressing it appropriately.

Greg is going to give us a little bit of additional detail and insight on types of risks. But first, I just wanted to briefly mention some examples of breaches that have occurred in the last year or so.

The first one is interesting because in 2020, there was a breach on Apple iOS. Previously, we've all heard it before. Apple products had been considered safe from any breaches and hackers. We've all heard that. There's really no such thing as an entity, product, or company being "safe" from a breach any longer.

Another incident that was large in 2020, Microsoft actually took part in uncovering this. It was a cyberattack that occurred at a company called SolarWinds and they're actually a third party software vendor. What was tricky about this breach is the attack was disguised as part of a legitimate software update so any user on the network who was updating their computer software through their employer downloaded this update. Once this was executed, hackers were able to freely move around the networks and they were undetected.

The real issue with this breach is how long it took to uncover and the sensitivity of the information taken and also, there's a lot of unknowns sometimes when it comes to these breaches because you're not really sure how long the hacker has access to the system or even what information that they had access to while they were moving around the network.

This did impact several government agencies including the U.S. Department of Commerce, U.S. Department of Agriculture, and Homeland Security. If you really think about the implications of that, it's pretty large.

Just to put a personal spin on it, I had a client once I was auditing an employee benefit plan and they had been impacted by a cybersecurity breach. Someone had requested distributions from their account and actually three or four distributions ended up being made and they didn't go to the participant who owned the account. The participant actually went on their website and noticed that their account balance had declined and when they contacted the service provider, it was discovered that these were fraudulent requests that impacted three or four people at the company.

It's actually more common than you may hope. What they found was the URL or location of the requests were from overseas so someone else had gotten access to that person's personal information and they were able to actually take the money out of the retirement plan fraudulently.

Greg, I'm going to toss it over to you if you could tell us some more details on the types of risks associated with employee benefit plans.

Greg Fritsky:Sure, thanks, Kevin. That SolarWinds hack is very telling how they have become very sophisticated, the hackers' plans and programs and the level of attacks, very pervasive throughout the organization.

I would say that one of the biggest concerns with that one was that it was an update program so it's something that the vendor or third party is applying a fix which no one here would probably be privy to. That's the type of things that we have to be careful and that's why having a level of defense against that using cybersecurity programs is very important and having the right vendors monitoring those types of situations.

But yeah, there's a lot of different types of breaches. Identity theft is on the rise. It just increases the need to continuously assess risk and monitor for it. It has been a banner year for these types of issues. We've all gone to remote work, we're all working in our home offices and we have new devices, devices we didn't know even worked in our house, and now we have to attach them and try to get everything working. And it was a rush to do that and organizations, kudos to all the IT departments that made this possible, but all that said, it does create some complexities when you're not in the office asking people to check your computer, you have to be responsible for it, too. It's everyone's responsibility.

We're also seeing the movement towards cloud systems where you log in, you go to a website, you provide information and data, automation, self-service systems, providing information and passing things through, those are things that can be very much compromised.

I'll give you an example. I just helped my mother file her taxes and you go in and you apply an e-File and then it starts asking for routers and account numbers and what have you and you double and triple check. I had to sit there and pull the paperwork away from my mother because she's reading me the wrong numbers. It can be very easy for someone on the end user side to make a mistake and that's just putting in information. Now someone can go in and access this information so we need to take precautions.

Just some security threats, pretty common, malware. You've heard the phrase, "If you don't recognize the sender, if it doesn't look like something you should be clicking, you probably shouldn't click on it," or ask somebody. That happens all the time. Stuff comes in and it looks suspicious and basically if you sense there's something wrong with it, probably something wrong with it. That's pretty popular.

Ransomware, little scary hackers can actually access files and drives and lock you down and threaten to destroy everything or reveal proprietary information. Very embarrassing reputational risk types of things that some firms are just willing to actually spend the money just to get everything released. Phishing, spear phishing, where someone actually wants to access your account information.

Just the other day, I got something that looked like my children have access to Netflix and they live in remote locations and look like somebody signed in and they asked me to confirm information, usernames, and passwords. Of course, I call them up to find out if that's true before I provide any kind of information. It's just things that you have to be suspicious of. It's very easy to be compromised.

Possibly internal employees stealing data. Sadly, fraud is still an issue but it can happen and laptops can be stolen or lost and these breaches are just, like I said, becoming much more sophisticated.

There's so many. I'm not going to go through all the different types. But the key thing is that there's real value when these pieces of information are stolen. They can be sold on the dark web. You might have information that you don't even know exists out there that people have access to. If you're getting unusual emails suddenly, somebody's probably gotten information on you and trying to use that to access more information from you. Have to be very careful and ensure that you're trying to do the things. If you have a password, that's great. But using websites that have multifactor authentication is important. Encryption's important. There's a lot of different ways that you need to protect yourself and we'll talk a little bit more about that in a moment.

Kriste DeAngelo:Wow, that's a lot of information in it. And it is quite scary when you hear about all the ways that information in our computers can be infiltrated. I guess my question for the folks out there is, is there anything that plan sponsors can do now or are there any tools available to them so that they can take advantage of some of these ideas or resources now?

Kevin Nardone:Kriste, so many great questions today.

We've searched the internet high and low. The AICPA actually has some tools available for risk management that don't require subscriptions and are free to download. We have these listed here. We're going to go into a little bit more detail about these.

But if you're trying to consider where to start or take a look to see how you think your own internal cybersecurity policies are, definitely I would take a look through some of these. They're excellent ideas on best practices and the important thing is, we mentioned this before, even though these are really specific to employee benefit plans, really, it deals with cybersecurity and best practices at the plan sponsor level as well.

You can see here there's resources available for the importance of retaining and protecting employee benefit plan records which could go to any human resource type files or information. There's a Q&A on cybersecurity and employee benefit plans and there's also a cybersecurity checklist. I'm going to go into these a little bit more now.

The first one that I just wanted to speak about briefly is the Q&A that's available through the AICPA. This discusses how employee benefit plans are at risk for cyberattacks, what information and assets are at risk, and some common examples of cyber threats to employee benefit plans among other things.

We list out some of the things that's included but I wanted to speak specifically about the SOC 1 reports. This Q&A mentioned SOC 1 reports and some people ask the question, do these address cyber security controls and risk?

Kriste and I mentioned that we audit employee benefit plans. When we are doing the employee benefit plan audits, we do ask for the SOC 1 reports of service providers, any custodian, record keeper, anyone who's really administering activity on behalf of the plan. We use these to assess the internal control environment at the service providers since so much of the operation of the plan is outsourced. That internal control environment of the service provider becomes an extension of our clients internal control environment. However, with all that said, this reports on the effectiveness of internal controls and not on cybersecurity.

So if you're looking for something specific to cybersecurity, it's important to ask your service providers for a SOC 2 or a SOC 3 report. A SOC 2 report addresses a service organization's controls that relate to operations and compliance and include standards that are issued by the AICPA in relation to availability, security, processing integrity, and confidentiality and privacy.

A SOC 2 report and a SOC 3 report are the same thing. However, a SOC 2 is usually restricted in use which means that it's typically only made available to management customers and prospective customers of a service provider. There may be a nondisclosure agreement that's involved in obtaining that. But a SOC 3 report, however, is available as well and generally, it has the same content but it's more of a summarized fashion so that it can be distributed to any party.

One of the other tools that's available through the AICPA is the cybersecurity checklist. It's a list of 22 best practices that's available and we've summarized some of these best practices on this slide. These include enforced password policies, enhanced password controls, for example, company policy for how often passwords must be changed and even character requirements.

I know that we all have trouble remembering our passwords to different websites because who allows special characters, who doesn't, who requires them. Those days of using the same password for everything are pretty much over. But this also includes email encryption as a recommendation and required employee training as well.

Our firm has an annual training on these practices that we've developed internally. It's usually about an hour long and I think that there is actually a test that you have to pass to make sure that you were actually paying attention. I always cross my fingers that I'm going to pass these tests because I swear that I end up on a list if I don't pass that test and they're like, "He needs more training." But these are pretty standard recommendations for IT security.

Actually, I think one of the things that we've instituted which has been helpful is now our emails identify whether or not it's an external source or an internal source that's sending the email which is really helpful because sometimes people will send you an email that looks like it's from a similar email address but if you look at the extension after the at sign, there's one word or one letter that's misspelled and somebody created a fake email address to try and get some information from you.

Greg's going to speak a little bit about his thoughts on risk management and related frameworks.

Greg Fritsky:Thanks, Kevin.

A cybersecurity discussion here coming from me. I'll be the first to admit I failed one of those tests. I'll be honest with you. Nobody feels like anybody feels foolish that they've done it, I was half awake-

Kevin Nardone:Did you get a follow-up call?

Greg Fritsky:No, I did not. But I was half awake when I saw something and sure enough, it was a test. But that's good. That's good that the firm does that and all the firms are doing that these days. They should.

Just real quick commentary on the SOC reporting, too. They're excellent and they're required by a lot of organizations. But I will just say that they're focused on controls and reasonable assurance that controls are effective and they focus a lot on information security and not necessarily go deep enough into cyberspace. There is now a SOC report for cybersecurity that's available. Maybe some of you have looked into that. But at the end of the day, think of it this way, SOC reporting internal controls is to ensure that controls are reasonable.

Cybersecurity is about absolute. It's about, "I don't want one bad guy to get into my organization and hack." The challenge there is how do you get to that level of protection. Putting a lot of these things in place we're going to talk about is critical and that's why you have to go a little bit deeper than just some of the other assurance mechanisms which are very important by the way, but this is another way of looking at it.

The NIST framework is the gold standard in this space. It's a framework to give people an idea of where should they focus their efforts as they build out a risk mitigation program. I would say it really focuses initially on identifying where critical data resides and sits, looking at where your information assets are, and putting protection with controls around those things, having a mechanism to detect a monitor, and then ultimately things happen, that's business. When things do happen, how do you respond and how do you ultimately recover and learn from those issues.

It's a powerful framework and certainly guides you to it and we'll talk a little bit more detail in a minute.

Kriste DeAngelo:From an employee benefit plans perspective, we know that plan sponsors and they have audit committees and planning committees, excuse me, and others within the company that are in charge of plan governance have fiduciary responsibilities and duties.

Kevin, can you speak a little bit to how does that relate to cybersecurity? Can you give us some detail with regard to, in particular, what those duties and responsibilities entail in relationship to cybersecurity?

Kevin Nardone:I think I could do that.

Kriste, first and foremost, we know that it's the plan sponsors fiduciary duty to protect plan assets under ERISA which governs the employee benefit plans. Somehow, we need to link this to the importance of cybersecurity. That's the purpose today.

Like we mentioned earlier, very often, we hear, "Well, we outsource plan administration. We're not sure how they protect plan assets and participant data." But they have to. The outsourcing of these services doesn't relieve the plan sponsor from their fiduciary duties. They do have a duty of loyalty to plan participants even if this is within the simple selection and approval process of the service provider.

How does the plan sponsor determine that the service providers that they're soliciting these services from can deliver and protect the information of their plan participants?

They have the duty to act with prudence to plan participants and the duty to protect plan data. Part of this duty is ensuring that the assets held an employee benefit plans are not used for any reason other than the benefit of plan participants and beneficiary. Those that contribute to the plan are the ones who should be benefiting. That inherently involves cybersecurity because if a plan asset or data is subject to cybersecurity breach or incidence, then really it's the duty of the plan sponsor to ensure that the assets are safe and protected.

I mentioned the earlier example of the participant assets being taken from the plan without the participant's knowledge. That was a failure to safeguard assets and they were the victim of a cybersecurity breach. Any failure to abide by this duty, as we mentioned before, could result in liability by the company or plan sponsor to the participants or those impacted.

ERISA does have specific guidelines for electronic disclosure of information. That's the electronic communication back and forth. Remember earlier, we talked about all the parties who have access to this information and if you think about it really, they're communicating back and forth daily.

Based on ERISA guidelines and regulations, and excuse me, because I'm going to read some of this directly because I think it's so important. From the definition of the confidentiality of personal participant information must be protected where plan disclosures are provided through electronic means. Plan sponsors have to take appropriate and necessary measures that are reasonably calculated to ensure this system for furnishing documents protects the confidentiality of personal information related to individual accounts and benefits. Those are the accounts of your employees and their related benefits.

This specifically involves the communication of this information between different service providers and the company or the plan sponsor. It's further defined by ERISA. ERISA further defines this as the incorporation of measures designed to protect against unauthorized access or receipt of protected data by anyone other than the individual for whom the information is intended.

This is a pretty big deal and it really inherently relates to cybersecurity because if anyone breaches that information, you're not necessarily following the ERISA guidelines.

Kriste DeAngelo:Kevin, you mentioned briefly that plan sponsors have to monitor third parties and protect plan assets but what about all the personal information that you spoke about or that we've been speaking about throughout this presentation, all the personal identifiable information like participants' social security numbers and the date of birth, date of hire, addresses, etc.?

I know that we're not attorneys and by the way, we are not in no means giving any legal advice in any part of this presentation but based on what we know or conversations that we've had with ERISA attorneys. What is the thought as far as do plan sponsors have a fiduciary duty to protect participant data?

Kevin Nardone: Kriste, this is important because I think that's why we're all here today because in all of our discussions today I think you have to really consider is participant data plan asset? I think you need to figure that out in determining the fiduciary duty relating to this on behalf of plan sponsors.

We know that and we've talked about that plan sponsors must protect plan assets and I think traditionally, when we say, plan assets, we all assume that we're speaking about investments. But if you really think about it and if you determine that participant data is, in fact, a plan asset, then without a doubt, we should be making sure that we're placing the same protections or that we're exercising the same protections on participant data as well.

This isn't really something that's explicitly defined by ERISA and it's not explicitly defined as a plan asset but I think we all have to consider these discussions today and draw our own conclusions on this and at a minimum, make sure that we're having conversations on it.

All this participant data can be used to misappropriate plan assets within participant accounts through a cybersecurity breach or an incident so I think it's important to make sure that you have protections in place that your employees and participants of any plans you administer to make sure that that's protected.

In determining how to protect participant data, there's certain strategies that we've seen clients implement and even through webinars and trainings that we've attended as well, these include reviewing service agreements of service providers for any discussions on the use and protection of participant data, also evaluating products and services to solicit only those that provide value to your participants and employees. And then it's also important to review any cross marketing practices that the service provider may be involved in.

They're accumulating all this employee or participant information. What are they doing with it? Are they protecting it?

When speaking with service providers, it's always a good practice to identify what information is collected and monitor the use of participant data in compliance with contract terms and maintain documentation of these different processes, decisions, and their implementation as well.

When you are entering into contracts with service providers, we always recommend, just like Christie said, I'm not a lawyer, I'm not an ERISA counsel, but we always recommend to our clients that you solicit the help on consultation of ERISA counsel or legal counsel as well.

Kriste DeAngelo: Let's just pick up where we left off on your last slide. Kevin, it sounds like there is actually nothing specifically defined in ERISA with regard to participant data versus a plan asset. I think it's just really a matter of interpretation. Basically, if I was the plan sponsor, I would certainly err on the side of caution in trying to protect this data and as you mentioned earlier in the presentation, we certainly encourage you to speak to your ERISA attorneys or if you have in-house counsel but certainly, you should seek some type of legal advice.

But I do believe there is something more black and white with regard to plan sponsors fiduciary duty when it comes to third party vendors and service providers. I think this is important to really talk about because I think in many cases, plan sponsors really, again, they assume that they outsource the responsibility with regard to their plan because so much of the activity is done by a third party service provider. But as Kevin mentioned, you don't really outsource the responsibility. The buck stops really still with the plan sponsor.

Kevin, could you speak a little bit to that?

Kevin Nardone:Absolutely. Absolutely, Kriste.

It's consistent with what we spoke about in reviewing contracts with service providers. It's important to make sure that you're understanding systems requiring consideration of cybersecurity risk. At these third party vendors, how is information being shared? Is there a secure portal? Is it encrypted?

While we can't explicitly conclude on whether participant information is a plan asset, I think that is subject to interpretation and like we said, we're not legal counsel so we can't really make that defining conclusion but you don't want to be on the wrong side of it and I think that that's what we're trying to stress the importance of today. We do know that a plan sponsor must act with prudence in selecting a monitoring service provider and that is required under ERISA's consideration of fiduciary duties.

Discussions that we've had with ERISA counsel and seminars that we've gone to in the past, as I said before, highlight that service providers should illustrate security for protected plan and participant data and document implemented cybersecurity policies.

Similar to before when reviewing these contracts, please solicit the help of counsel but it's really important to monitor the policies and procedures that your service provider has in place and conclude on whether or not it seems appropriate to make sure that the data of your employees and your participants as well as their beneficiaries is protected.

Something else that you want to make sure that you have done is in the event that there is a breach or an incident at a service provider, internal personnel should always be educated on their responsibilities regarding cybersecurity. Any IT systems that store and transfer plan participant data should be reviewed to confirm that there's protections in place and that this information is protected.

Plan documents and service agreements related to your employee benefit plan should be reviewed to identify who's responsible for what. Generally, it is explicit in there and if there isn't an explicit responsibility defined for some of the policies and procedures, it's important to have that conversation with the service provider, "Well, what happens in the event of" or "Has this happened before?" And have a conversation with them about their policies and procedures and what they have in place as well.

It's also good practice to inquire and verify that their cybersecurity policies in place from an insurance perspective as well.

Kriste DeAngelo:Kevin, you mentioned service agreements in your previous slides and we know that all plan sponsors have one or more service providers depending on whether or not their services are bundled. Is there anything that a plan sponsor should do or look for in a service provider agreement in regard to cybersecurity besides, of course, looping in their ERISA attorney for them to review it?

Kevin Nardone:In our discussions in the past, Kriste, I think that we really circled around three key items to make sure that these service contracts include. There really should be established limitations on the use and access to plan and participant data. Again, before, we mentioned, it should only be accessed when providing services that are part of the service contract. Administering a participants account or executing a requested distribution, that's the only time when personal information should be accessed and that should be explicit in that service contract.

You also want to make sure that there's proper destruction policies in place for information that's no longer used. I don't know. It depends on what the document retention period is at the service provider or even internally but you want to make sure that any information that's no longer necessary, maybe you have an employee or a participant who left your plan 10 years ago, there really should be proper destruction policies in place to make sure that that information is not retained because that makes it susceptible or vulnerable as well.

You want to make sure that encryptions and logical access controls are in place because those are also important and you should always request and review cybersecurity policies and response protocol to ensure that they're included in the contract so it's in black and white. This is going to outline who's responsible for what in the event of a breach or an incident so you're not left pointing fingers at each other in the event that you do find yourself a victim of a cybersecurity breach or an incident.

In addition, keep an eye for explicit terms on any liability for these cybersecurity incidents and breaches. This can include any reimbursements or caps on reimbursements if a breach was executed at a service provider. This is anything that you as the client might be reimbursed for if there is a breach or an incident at your service provider.

In some cases, there may also be recoveries for any fines or penalties that are incurred in reimbursement of service fees in the event of a breach.

In addition to reviewing the SOC 1 and SOC 2 reports of the service provider you're soliciting services from, it's also important to make sure that your service providers are reviewing the SOC reports of service providers they engage as well.

If you follow that through for a second, so when we're auditing employee benefit plans, we're asking our clients, the plan sponsors for the SOC reports of their service providers. We want to make sure that our clients are taking a look through their SOC 1 reports of those people that they solicit services from but that service provider could also be outsourcing services which would involve another SOC 1 report. You want to ask your record keepers or custodians like, "Any services that you outsource to another party? Are you obtaining that SOC 1 report and reviewing it to make sure that there's nothing that you should be aware of or any risks that are unaddressed at that service provider?"

Kriste DeAngelo:We've covered thus far a lot of information. I know that businesses, plans are concerned about cybersecurity but individual people and the participants in the plan are also very much concerned.

I know that personally. I try to be very diligent when I'm on a computer about clicking certain links. Participants want to know that their investments and their information is safe.

Greg, this question is for you. What preventative steps can an organization take that shows they're committed to ensuring that the plan participants are reasonably protected?

Greg Fritsky:Great, great question.

At the end of the day, it's about putting the responsibility in everyone's hands, training, teaching, getting everybody up to speed on what the protocols are but you need some sort of risk management program. We mentioned earlier, the NIST framework but to really make that active is to engage the executive level, sponsorship level, putting a program in place that addresses it at both the business process level and also at the implementation level which is the technology folks that implement these types of programs.

Oftentimes, these things can sometimes sit in silos but I often say that this is not just the responsibility of the IT group or the chief information security officer. What I would advocate is having some sort of center of excellence or expertise to be focused on this type of executing this type of program to make sure that these mandates are put in place and these procedures are followed and that everyone's educated on what their responsibilities are. Involving all those individuals, starting with folks to do the assessment, putting the protocols in place, and then putting the program and the procedures in place, it's part of everybody's responsibilities.

So then once you have that framework and that team, if you will, what's the risk assessment and what does that focus on, and there's various areas. First and foremost, it's doing an evaluation of risk and the level of communication at all levels throughout the organization. How are incidents going to be reported? How are people going to respond? What are the protocols to follow?

But then it gets into things like access rights and controls. Who are you giving access to? What are the shared directories? What about the end user, the benefits plan participants? What are they able to do? How much control do they have? Where does the data reside and how do you protect that? That goes hand in hand with data loss prevention.

At the end of the day, securing your assets, the most important assets are the things like Financial information, healthcare information, individual information that you don't want to leak out and have not just hackers have access to but other participants don't want to see other participants' information, obviously. There's a lot of protocols that need to be in place to prevent that.

Kevin mentioned, too, with regards to vendors and contracts and third parties making sure that there is due diligence. Looking at the SOC reports is one way but doing a full, I would say, vendor risk assessment. Who has access to our information? And even more importantly, in this day and age, a lot of things get outsourced and pushed off shore, some of the processing may happen elsewhere. It's not just the vendor you're working with but do they have a sub service provider that's providing information? Does the data reside somewhere else?

There's issues around GDPR with European citizens' data. Is any of that housed in our servers? Do we have to consider those risks? California has enacted legislation and has protections. New York finances as well. Really have to be careful with that and make sure that we understand where all that is housed and where vendors, not just where we're storing the information or where they're storing information.

And then, obviously, training is key. How do we train individuals? How do we have them recertify? These things are changing all the time. What we thought we knew changes almost weekly, if not daily, so we need to constantly be in front of that. And then ultimately, having protocols in place to respond when an incident occurs, how do we assess if it's beyond a single incident and possibly, a security breach, if you will, which is a much more significant event and needs to be responded to. Those are all aspects of a risk assessment.

Kriste DeAngelo:Wow. With many companies having limited resources particularly now, is there something that our plan sponsors could be thinking about today regarding maybe how to leverage technology to protect against cybercriminals?

Greg Fritsky:Absolutely. Lots of good technologies but we break it down. Obviously, you have this internet security monitoring response capabilities. A lot of organizations are looking to leverage third parties to provide that type of service. That's an important monitoring and detection, staying on top of what the current threats are. Some organizations will have their vendor or they'll perform a vulnerability test, we call a penetration test, where you can actually go in and see if you can hack through and gain access to that data.

Big thing now with being remote and being able to use any device is having some sort of mobile device management software that's stored on your device that monitors potential threats and certain protocols that ensures that if you're using specific apps that somebody would use that actually have access to their own information, how are they being protected on that device?

The other thing is, obviously, email. We get emails. Now, we get text. Just how do we protect against our tendency to respond quickly, to click on things, to do things. That's something that's been around a while but it continues to be a problem.

One of the biggest things with emails that they will tell you is look at the email, look at the address, see if where it's come from. Oftentimes, it'll have an interesting syntax next to it. They'll misspell words in it, they might have the wrong information. They look very convincing but there are ways to detect problems.

Some of these other things, they've been in place for a long time but continuously making sure that you have endpoint security and a backup plan if things were to failover, are those things protected?

Putting passwords in place, multifactor authentication, other capabilities around that and user education.

And then there's dashboard tools now. Our own organization, we've the first look dashboard that helps understand and help a client assess threats and provide some detail and potential threats on the dark web. There's a lot of capabilities and lots of technologies.

Lastly, what's not on here is an area I'm familiar with is robotics process automation. Leveraging a bot, using technology to do the monitoring and constant testing on your behalf to help send alerts and provide you with details as things happen. There are a lot of ways but the best thing to do is to have some sort of assessment performed to identify what your level of threats are but also how you could put some of these technologies to work for you so that you get to sleep better at night.

Kriste DeAngelo:Greg, you spoke about precautions that plan sponsors and companies can take and I know that there's a lot to think about with regard to how to keep information safe. But could you speak a little bit about what happens when there is an incident or breach? How do plan sponsors companies react to this?

Greg Fritsky:Yeah, great question.

Going back to that framework I had shared, it's really based around being prepared, making sure you have all the programs in place so that you know when things happen, what to do. Being prepared is important. Obviously, the assessment lends itself to that but having monitoring and detection capabilities, whether that's stuff that sits on your server on the end client which is your devices that you use or having a third party, this is popular now, having some assistance, you don't know what you don't know and having somebody on constantly monitoring for those threats.

Ultimately, if there is an issue and something happens, how do we investigate the breach, how quickly can we respond to that because the most important thing is if we find out that something has been leaked, and the fact is these things are happening more and more frequently, being able to assess that if there's a breach, can we contain the data flow, has there been a challenge there, or something compromised.

Ultimately, if there is, we have to notify individuals/ You got to make sure that participants know and provide them with ways to assess whether they've been compromised or there're issues that they need to worry about. And then ultimately, remediate it, make everyone whole, and then learn from it. Most importantly, learn from these mistakes, it happens to everyone.

Kriste DeAngelo:We thought that based on what has happened as a result of the pandemic that we really should cover this next topic and that is the risk of having a remote workforce. In some cases, many companies, their workforce is basically 100% remote at the moment. This pandemic has basically turned our homes into temporary offices and I use that term loosely as many folks are setting up shop, so to speak, from their kitchen tables and their bedrooms while other family members are doing the same thing in a different location of their home and at the same time, their children are doing school virtually.

For you folks out there that are doing all of this and you have children in school, kudos to you. I got to tell you. You're my heroes because I go to my daughter's who is working from home and she's got a nine-year-old doing fourth grade and then she's got a toddler, a four-year-old, who she's trying to take care of. It's craziness. Certainly, you guys, like I said, are my heroes.

But aside from the fact that this pandemic has caused a tremendous strain mentally, it's changed the way we actually are working. Kevin, could you speak a little bit to how has a remote workforce changed the landscaping relating to cybersecurity and I know we only have five minutes so I think we should just want to give you a little heads up, okay?

Kevin Nardone:Absolutely, Kriste.

I think after four months at home, I finally gave in and bought a desk. You can see my living room in the back, my dog's next to me snoring. But I think the biggest risk to be honest is people as we're all working remotely.

We mentioned this before but educate your employees on best practices involved in working from home. Secure internet connections are important. Always use a VPN connection. Many internet providers for at home internet provide or offer encryption services on routers. You can activate what's called I think WPA2. I think I learned that on our security training for WPA3 on your home router.

Educating employees on the importance of making sure that they're working through a secure connection. I'm not sure what WPA stands for but I think it scrambles the information over a network so outsiders can't read it.

At the firm, we have two-factor authentication that is required for us to log on to our VPN.

Avoid printing whenever possible. Try and be paperless and have a dedicated workspace. It's important to make sure your employees are only using their work laptop for work-related items.

Greg Fritsky:That's important. If you have a virtual private network, make sure you're on it. It provides you extra security. Again, encryption. The WPA is an encryption protocol and that's important that your router is set up to provide you protection. Beware of the phishing scams that are going on. Continuously reboot your computer. There may be new patches that were applied but don't take effect till you reboot.

And then, educate. Make sure you ensure that everyone knows the rules and how to respond and what to look for. These are sophisticated times where hackers are out there doing things that we never thought they'd be able to do and get access to where they do. It's dangerous for the kids. It's dangerous for everyone. It's something that you should look across all the computers, even the ones that kids are using for school. I'll leave you with that thought.

And lastly, protect yourself from kids running around with those cameras when they're in school. If they happen to come towards the bathroom, make sure that door's locked. My brother can attest to that one.

Kriste DeAngelo:We're actually doing great on time. The last question I have for you, and this is going to Greg, and that is one of the questions that we often hear in our audits is when we ask our plan sponsors, "What are you doing with regard to cybersecurity? How are you addressing this?" And many times their response is, "We have cyber insurance."

I think that we can all agree that based on what we've heard today insurance is not the only answer. Again, we're not insurance experts but we do know that cybersecurity insurance does exist for plan sponsors. But how does the plan sponsor know the amount of insurance they have is adequate?

Greg Fritsky:The biggest part of this and you can contact your insurance broker, this is a new growing field but I will say that prices are impacted by the level of threat and risk assessment is a key part of ensuring that you understand what those threats are and your mitigation that you do towards those threats is going to obviously lower costs. These things all work hand in hand but again, they're going to happen so it's a question of not just being able to respond but how do you make everybody whole.

Most importantly, reputation is key. Making sure you've done everything that you can and acknowledge it quickly is important. Everybody will judge organizations by how quickly they respond but insurance is very important and certainly reach out to your insurance carrier to see if they offer this level of insurance.

Kevin Nardone:Very interesting information today. We do have a question from the audience. The question was, I'm just going to go over this as we're answering the polling question. Are participant accounts protected against fraud the way credit card fraud is?

It's a very good question. I'm pretty sure, and Kriste, Greg, correct me if I'm wrong, so I think when there's fraud on your credit card, you don't really have to pay for that charge and the credit card company handles that.

In this case today, are participant accounts protected? I think it's important to have cybersecurity insurance to make sure that if there is a breach, you're covered and that participants, so in the example we gave before when that participants account was hacked and they requested three or four distributions, you want to make sure that your employee is made whole again.

It's important to have cybersecurity insurance and that's why it's also important to take a look through the contracts like we spoke about to see who's responsible in the event of a breach. If it occurred at the service provider, will they make the participant whole or will the employer still be required to make the participant whole. I think that's really covered by this cybersecurity insurance and any other insurance that the company may have as well.

Kriste, Greg, anything to add to that?

Kriste DeAngelo:No. I agree with you. I think the answer is probably it depends, like you said, as where it actually occurred or where the breach was but I think more importantly, regardless of the fact who is making that participant whole, it's really, like Greg said, about reputation. If one participant has a breach, you can bet your bottom dollar that that's going to spread throughout the company. It's really now the question from participants is "How could this have happened? How come my information wasn't protected?"

I think that there's a lot of things that you just really need to consider. Yes, it's important that the participant gets their money back but I think there's other factors and there's other considerations when a breach does occur.

Wow. That was great. We're 1:02. We're two minutes late so we're sorry. Sorry, we went two minutes beyond but that was actually fairly good timing.

I want to thank everybody for taking the time out today to listen to our presentation. I hope everybody stays healthy and safe. I think now if you've signed up for our networking event, I think, yeah, we have a link here.

Transcribed by

What's on Your Mind?

a black and white logo

Kevin Nardone

Kevin Nardone is a Director in the Private Client Services Group. He has experience in employee benefit plan audits, 401k audits and defined benefit plans for single and multiple employers and knowledge and experience surrounding multi-employer benefit plans.

Start a conversation with Kevin

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.