Employee Benefits & Cyber Attacks (Questions/Answers)

Your employees may understand that they risk identity theft every time there’s a major cyber breach at a store they’ve patronized. But do they know that even more of their personal information is available to hackers via their employee benefits plans? It’s a risk that an increasing number of business owners and CEOs have had to confront. How to safeguard employee data — and avoid the significant expense of a managing a breach response — are just some of the questions that business leaders face around this issue.

Why are benefit plans so attractive to hackers?

Virtually any type of employee benefit plan is vulnerable to hackers. These include pension plans, health and welfare plans, and retirement savings accounts. All represent a rich source of personally identifiable information (PII).

First, hackers can gain access to the employee’s personal health information. Armed with that information, cyber thieves can do everything from file fraudulent insurance claims, get prescription medication, and even blackmail the employee.

Hackers may also gain access to the actual employment benefit accounts, potentially using the accrued amounts as fraudulent assets to obtain lines of credit under the employee’s name.

Of course, being able to completely steal the employee’s identity is one of the most concerning threats. And given that employee enrollment forms will have birthdates, email addresses, official residence addresses, and social security numbers — at a minimum — there’s a strong potential for wide-scale identity theft using the PII.

What makes the plans so vulnerable to hacking?

The average worker assumes that accessing his or her employer’s cash reserves and financial information would be the more attractive target than that of its employees. But a company is one entity and can move quickly to protect its holdings after a firewall is breached. A business’ large number of employees, however, represent better odds for a cyber attack. Even if many of them are able to protect their PII after a breach is discovered, the odds of capturing at least some employees’ personal data are still high.

Employee benefit planning is often handled by the third-party provider. And even when these plans are managed internally, the business may be using software that’s vulnerable to attack. For convenience, the employee plan programs are designed to be accessible to more than one agency or company, and by using different platforms.

Yet the same technology that makes the software so easy for multiple parties to access is also what can make it more vulnerable to cyber attack.

Why do employee benefit plan breaches keep happening?

Unfortunately, pension planners, insurance companies and other partner providers still rely on “old school” tech to stop hackers. While anti-virus software might be helpful to stop non-corporate cyber attacks, it’s not always up to the task of more sophisticated hackers.

Also, federal regulations don’t consider employee benefits information as sensitive as personal health records. For that reason, regulations aren’t as strong on the pension side of benefits as they are on the medical records aspect.

What can be done to protect your employees?

The threat to employee benefit plans information is ever-growing. But the good news is that business leaders can put several safeguards in place, protecting that information on several fronts.

If you use an outside provider to oversee your employee benefits programs, it’s essential to carefully examine what safeguards those partner providers have in place to protect the information they handle. If your own staff is handling the benefits program, it’s essential that they receive the most advanced and up-to-date training available. Even staffers proficient in software and administrative safeguards may not be aware of the latest viruses and scams by which hackers may gain entry.

Perhaps most crucially, you’ll need to set up a chain of command and strict protocol about how all information is handled. From your own IT specialists and human resources administrators to outside benefit plan providers, access should be limited to the scope of that department’s work. The more sensitive the information is, the fewer people should have access to it.

What’s the best way to implement these safeguards?

Hiring a reputable firm of cybersecurity experts will immediately put technological safeguards in place to protect employee PII. These experts can also train business leaders and relevant staffers about how to administer their employee benefits plans accounts safely — and how to select third-party benefit program providers that also put cybersecurity first.