Social Security numbers. Medical data. Financial information. The volume of personal information kept inside employee benefit plans is huge, and that is why these plans make such ripe targets for cybercriminals. It falls to employee benefit plan sponsors to make sure the bad guys are kept out. In a preview of “Cybersecurity for Benefit Plan Sponsors and Auditors,” her column from the summer 2019 Pennsylvania CPA Journal, JulieAnn C. Verrekia, director of quality control for Torrillo & Associates LLP in Glen Mills, discusses techniques hackers use to get employee benefit plan information, resources for plan sponsors looking to strengthen their security, and why auditors of employee benefit plans have to stand ready to ward off would-be infiltrators.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
From Social Security numbers to financial information to medical data, there is valuable information in employee benefit plans. That's why they make valuable targets for cybercriminals. In a preview of “Cybersecurity for Benefit Plan Sponsors and Auditors,” her column from the upcoming summer 2019 Pennsylvania CPA Journal, JulieAnn C. Verrekia, CPA, director of quality control with Torrillo & Associates LLP in Glen Mills, joins us to discuss whose duty it is to protect information in employee benefit plans, techniques cybercriminals use to try and gain access to these plans, and more.
I mentioned a little bit of what's in employee benefit plans and why it makes them attractive, but why do you think that employee benefit plans make great targets for cybercriminals?
[Verrekia] I think cybercriminals have exhausted a lot of other avenues and are now turning their attention to employee benefit plans because they contain and maintain such a large amount of sensitive information. The list is pretty long. It can include things like names, birth dates, Social Security numbers, hire dates, retirement dates, compensation, addresses, bank account information; people don't realize the sheer amount of data that is used to process an employee benefit plan from start to finish.
And this list isn't even all-inclusive. Certain plans, like health and welfare plans, can contain even more sensitive data that we may not realize.
Whose duty is it to protect the information in these plans? Is it the employer? If they're working with a third-party provider, does it fall to them? Who's responsible?
[Verrekia] Well, the bad news is that ERISA is very clear that the duty to protect plan information is the plan sponsor’s. So you hear us say that time and time again, that ultimately everything falls on the plan sponsor. It falls under the fiduciary duties that are outlined in ERISA section 404. And recently, actually not very recently but in 2011, the DOL issued two technical releases that I reference in the column, that impose obligations on plan sponsors to ensure that electronic systems protect the confidentiality of personal information. So plan sponsors can not delegate that responsibility to their third-party service providers.
What are some of the ways and techniques cybercriminals are using to try and gain access to this data?
[Verrekia] The ways that they try to gain access to EBP data are not unique; they're the techniques that we hear about every day with other data breaches at credit card companies and banks and other institutions. The more popular ways include things like phishing, malware, fake web profiles, ransomware attacks, or loss or theft of mobile devices, laptops, and flash drives.
The Employee Benefit Plan Audit Quality Center (EBPAQC) of the AICPA issued a Q&A in May 2018 that was entitled, "Cybersecurity and Employee Benefit Plans." And it's very interesting, in that Q&A, the AICPA gives specific, real-life examples of how each of these techniques was used to obtain sensitive information from an employee benefit plan. When you read it as examples, you start to think, "Wow, this is another thing I have to worry about when I'm administering my plan."
What resources are available to companies who are looking to strengthen their employee benefit plan cybersecurity methods?
[Verrekia] There's quite a bit out there, and it is easy to get overwhelmed, but some of the things that I recommend that we've used when we were going through our own process is a report issued in 2016 by the DOL advisory council. It's titled, "Cybersecurity Considerations for Employee Benefit Plans." It's an excellent resource, as it's geared specifically toward plan sponsors and employee benefit plans. It includes information that can be used to develop an EBP-specific cybersecurity strategy and program. It's available on DOL's website, which is www.dol.gov.
Also, the AICPA has developed a cybersecurity resource center that provides tools and information that plan sponsors can use. That is also accessible from AICPA’s website at www.aicpa.org. Then, as I previously mentioned, EBPAQC's Q&A is also a very helpful resource to keep handy to reference when speaking if you are a plan auditor when speaking with plan clients.
One of the most interesting parts of your column because it’s something that you wouldn't necessarily think of right away, but it makes an interesting point in that hackers, they may not only choose to target the administrators of employee benefit plans, but the auditors of such plans as well. What do employee benefit plan auditors need to do to protect their sensitive information, or their work papers?
[Verrekia] Making that statement was a bit of a double-edged sword. It's something that you don't want to call attention to, but unfortunately it's something we need to think about. And we have thought about our firm as we started wading our way through all the cybersecurity reports that had been issued.
But the truth of the matter is that EBP auditors obtain and they have access to a lot of sensitive plan information in order to perform testing of things like participant data, benefit payments, contributions, pretty much the whole plan. As plan sponsors are formulating their own EBP cybersecurity strategies, it would only be natural for them to include plan auditors in their discussions. I don't profess to be a cybersecurity expert, but EBP auditors may need to start thinking about their own cybersecurity strategy that goes beyond redacting information and work papers, and firewalls and security software, which most of us already have.
Most of us are familiar with the staff auditors that we tell to go through the work papers and black out all the names and Social Security numbers, and we need to probably be doing more than that. We need to be thinking about things like encryption, penetration testing, policies, training; so these are all things that I've learned a lot about as we've gone through our own process and I'm hoping to spark that thought in other plan auditors as well.