Protecting Your Employee Benefit Plan: Understanding Current Cyber Threats and Best Practices

Protecting Your Employee Benefit Plan: Understanding Current Cyber Threats and Best Practices

January 31, 2025

I recently gave a training to a group of professionals in the employee benefit plan space. Many of the recent threats and security best practices we discussed apply to any company but are critical in a benefit plan setting given the sensitive data handled each day. Below, we’ll explore several emerging and ongoing cyber threats impacting employee benefit plans, along with best practices for prevention and mitigation.

Business Email Compromise (BEC)

What It Is:

Business Email Compromise (BEC) is an attack in which criminals gain unauthorized access to a legitimate corporate email account and then impersonate the owner to request payments or sensitive data. They often begin with a phishing email—tricking an employee into clicking a malicious link and entering their login credentials.

Why It Matters for Employee Benefit Plans:

• Attackers can intercept or alter invoices and payment instructions, potentially diverting plan distributions.
• A BEC attack may also expose sensitive participant data or disrupt plan operations if data is transmitted or discussed via email or if the attacker gains broader network access.

Prevention Tips:

1. Employee Training – Conduct routine phishing-awareness training to help employees identify suspicious emails, links, and requests.
2. Multi-Factor Authentication (MFA) – Even if credentials are stolen, MFA adds another layer of protection that attackers must bypass.
3. Monitoring & Alerts – Implement email security solutions that flag unusual login locations or activity.
4. Vendor Management – If you rely on vendors for plan administration or payroll, ensure they also have strong security measures in place. This is crucial since a vendor may have trusted and/or elevated access to your system.
   

Ransomware

What It Is:

Ransomware is malicious software that encrypts files and systems, rendering them inoperable until the victim pays a ransom—often in cryptocurrency. High-profile ransomware attacks frequently make headlines, but smaller organizations, including those handling employee benefit data, remain prime targets as well.

Why It Matters for Employee Benefit Plans:

• A successful ransomware attack can shut down access to participant records, contribution histories, or transaction data, severely impacting benefit plan operations.
• Breach disclosures can damage trust and lead to possible regulatory scrutiny or penalties.

Prevention Tips:

1. Regular Backups – Store backups offline or on a separate network to prevent ransomware from encrypting them as well. Employ multiple back-ups, including different media types and multiple locations.
2. Endpoint Protection – Use antivirus software, firewalls, and intrusion detection or prevention systems to block malware.
3. Incident Response Plan – Have a clear plan detailing how to isolate infected systems, communicate with key stakeholders, and restore backups.

The Rise of Generative AI Threats

What It Is:

Generative AI tools can create realistic text, images, and even voice clips (so-called “deepfakes”). Attackers now use AI to clone voices or impersonate leadership in phone calls or videos, tricking employees into divulging sensitive information or sending unauthorized payments.

Why It Matters for Employee Benefit Plans:

• Scammers could impersonate an executive or plan administrator, requesting urgent wire transfers of plan assets or sensitive participant information.
• Plan participants themselves may be targeted with fraudulent communications that appear authentic.

Prevention Tips:

1. Training & Awareness – Educate staff to be skeptical of unexpected requests, even if they appear to come from a known voice or trusted email. Train those entrusted with benefit plan administration as well as those participating in the plan.
2. Authentication Protocols – Use code words, “challenge” questions, or call-back protocols for phone or video requests that involve financial or personally identifiable information.
3. MFA & Strong Passwords – Even AI-driven attacks often rely on stolen credentials. MFA and unique passwords remain critical.

The Increasing Attack Surface

What It Is:

Today’s technology environment is more interconnected than ever. Organizations outsource services, integrate with multiple vendors, and allow employees to access systems from personal devices. While this fosters efficiency, it also increases your “attack surface”—the number of potential entry points for cybercriminals.

Shadow IT

Employees sometimes use unapproved tools or applications—known as “shadow IT”—to speed up work. This might include file-sharing apps, personal smartphones, or even AI tools like ChatGPT without the oversight of IT. Each unvetted app or device is a potential security gap.

Why It Matters for Employee Benefit Plans:

• Sensitive benefit data may be stored or transmitted through unsanctioned apps or devices, bypassing the organization’s standard security controls.
• The more connections and data transfers that occur with external partners, the harder it becomes to monitor and secure all data flows.

Prevention Tips:

1. Acceptable Use Policies – Define which devices, apps, and data-sharing methods are permitted and regularly educate employees on these rules.
2. Vendor Management – Conduct due diligence before onboarding any new vendor that will handle participant data or integrate with your systems.
3. Regular Network Scans & Inventories – Perform frequent vulnerability scans and maintain an up-to-date inventory of systems and data flows so you can quickly identify and address irregularities.

Vendor Management Essentials

Employee benefit plans often rely heavily on third-party administrators, custodians, or recordkeepers. Proper oversight of these vendors is a critical aspect of maintaining plan security. The U.S. Department of Labor (DOL) has also highlighted the importance of vendor contracts containing clear cybersecurity clauses.

Key Contract Elements

• Confidentiality and Data Protection – Ensure the vendor contract explicitly states how participant data will be protected and used.
• Cybersecurity Standards & Insurance – The vendor should adhere to defined security standards and carry adequate cyber insurance.
• Breach Notification – Require prompt notification if a security incident or breach occurs, detailing the scope of the incident and remediation steps.
• Compliance with Laws & Regulations – Confirm that the vendor follows all relevant state, federal, and industry regulations (e.g., ERISA, DOL guidance, etc.).

Reviewing Your Vendor’s SOC (System and Organization Controls) Reports

Many benefit plans request SOC (System and Organization Controls) reports from their third-party service providers—especially SOC 1 reports, which focus on controls over financial transactions relevant to plan operations.

Key Points When Reviewing SOC Reports:

1. Reporting Period Coverage – Ensure the SOC report aligns with your plan year. If not, request a bridge letter to cover gaps.
2. Auditor Reputation – Verify the auditor’s credibility by searching for them online and/or in AICPA-CIMA records.
3. Opinion & Exceptions – Look for a clean (unqualified) opinion. If exceptions are noted, determine if they could affect your plan. Document your thought process and decisions.
4. Subservice Organizations – Identify if any critical functions have been outsourced to another vendor (a “subservice organization”) and whether you need to review that entity’s controls as well.

Additional Best Practices

1. Comprehensive Policies – Develop or refine policies around data retention, password management, patch management, and incident response.
2. Ongoing Monitoring – Employ intrusion detection systems and run regular vulnerability scans, assuming that an attacker could already be inside your network.
3. Annual Risk Assessments – Reassess and document risks at least annually, taking into account new threats or changes in plan operations.
4. Plan for the Worst – Have a business continuity plan in place to minimize downtime and protect participant information if a breach or ransomware attack occurs.

Conclusion

While the cybersecurity landscape evolves rapidly, the core principles remain consistent: awareness and prevention and monitoring tools. Regular training, vendor review, and implementing sound technology policies and tools will help protect the sensitive participant data inside your employee benefit plan.

If you have questions about improving cybersecurity for your benefit plan or need assistance reviewing or conducting a SOC audit or financial audit, our team is here to help. We bring experience in employee benefit plan audits and SOC audits and can guide you through best practices that align with Department of Labor guidelines, ERISA regulations, and more.

Contact us today to learn more about securing your employee benefit plan environment.  Larson and Company has developed a suite of services specifically to serve the needs of companies of all sizes in a wide range of industries.