Concerned about cybersecurity? Here’s how to protect 401(k) plans

Do you offer a 401(k) retirement plan to your employees? A new emerging cybersecurity risk for plan sponsors is retirement plans. Continue reading this blog post for tips on protecting 401(k) plans from cyberattacks.

All companies that manage personal consumer data are already concerned — or should be concerned — about cybersecurity. The scope and scale of cyberattacks continue to rise worldwide, as demonstrated last year by a breach that compromised data of 50 million Facebook users.

Retirement plans pose a new risk. Lawmakers are keen to protect the personal information of defined contribution plan participants. Recently, Sen. Patty Murray (D.-Wash.) and Rep. Bobby Scott (D.-Va.) asked the U.S. Government Accountability Office to “examine the cybersecurity of the private retirement system.”

Fortunately for plan sponsors, record-keepers and other parties in the retirement services industry, the same solution designed to address the multiple problems stemming from the upsurge in small, stranded 401(k) accounts — auto-portability — can also augment existing practices that protect plan participants’ personal data.

Auto-portability is the routine, standardized and automated transfer of a retirement plan participant’s 401(k) savings account from their former employer’s plan to an active account associated with their current job. This solution is underpinned by paired “locate” and “match” algorithms which work together to locate participants with multiple 401(k) plan accounts, confirm their identities, obtain consent for rolling over their stranded accounts. These accounts can exist in former employer plans or rolled into safe-harbor IRAs before they're moved into active accounts in their current employers’ plans. In addition, consolidation can include a roll-in to the participant’s current employer plan.

The act of consolidating accounts reduces the number of small accounts in the 401(k) system through auto-portability, which makes plan participant data more secure. Consolidating a participant’s multiple 401(k) accounts reduces the number of systems that store a participant’s data, and also encourages participants, sponsors and record-keepers to become more engaged when it comes to keeping track of accounts.

Auto-portability meets cybersecurity best practices

While there is currently no central legal framework regulating cybersecurity in the retirement services industry, the SPARK Institute published a compilation of recommended cybersecurity best practices for retirement plan record-keepers in 2017. Auto-portability, which went live that same year, operates in conformance to the SPARK Institute’s cybersecurity recommendations.

For example, the SPARK Institute, a retirement policy center in Simsbury, Connecticut, issued 16 security control objectives, including the practice of encryption, which requires protection of both “data-in-motion and data at rest.” The institute suggests that the same data protection risk management standards be applied to suppliers. To address cybersecurity, the institute suggests these steps:

  • Encrypt all sensitive information subject to auto-portability using Advanced Encryption Standard 256-bit encryption, an industry standard developed by the National Institute of Standards and Technology. There is no known type of cyberattack that can read AES-encrypted data without having the cryptographic key.
  • Never combine a Social Security number with other personally identifiable information in any single file transfer. The objective should be to ensure there is never enough personal data in any single transmission for a hacker to use to steal an identity. In addition, any file with personal information should never include the identity of either the plan’s sponsor or the record keeper. That further thwarts a hacker from accessing an individual participant’s retirement account.
  • Know that auto-portability supports multiple methods of exchanging secure data.
  • Ensure that any information flagged during the locate-and-match process that doesn’t adhere to certain criteria requires additional verification to confirm an identity.
  • Conduct full address-location searches to ensure that the correct participant is found and properly matched to multiple accounts.

When participants strand 401(k) savings accounts in former-employer plans, and nothing is done to transport them to active accounts in their present employers’ plans, there’s a strong chance that the worker may fall victim to a cybercrime. Plan sponsors can protect themselves and their participants from hackers, and strengthen their overall cybersecurity preparedness, by implementing auto-portability to cull small accounts and missing participants.

SOURCE: Williams, S. (25 April 2019) "Concerned about cybersecurity? Here’s how to protect 401(k) plans" (Web Blog Post). Retrieved from

Cybersecurity Should Be on Plan Sponsors’ Radar

Original post

Cyber threats and attacks are so widespread that retirement plan sponsors are being warned to develop a cyber risk management strategy rather than a cyber risk elimination strategy.

That’s according to law firm Pillsbury Winthrop Shaw Pittman LLP, which said in an advisory that among other concerns, sponsors should be prepared to evaluate their third-party service providers’ cybersecurity programs and ensuring that the plans themselves have mitigated risks from losses in case of a cyberattack.

It shouldn’t come as a big surprise to anyone, considering that there’s a $5 trillion 401(k) market just sitting there waiting to be ravaged by hackers.

Considering that account holders often don’t check their accounts often enough to catch hacking attempts, and that the advisors and plan providers hold another wealth of information (pun intended) on those account holders, the retirement plan market is ripe for the plucking.

The trillions of dollars in 401(k) accounts are becoming particularly appealing to cyber criminals.

In its first of a series of advisories on cybersecurity issues regarding retirement plans, the law firm said that an effective cyber risk management strategy would include thorough due diligence by sponsors of TPAs and vendors; periodic implementation and review of contractual protections and insurance requirements in arrangements with TPAs; periodic monitoring of TPAs’ cybersecurity compliance and related risks; and consideration of whether to utilize the SAFETY Act, a liability management statute managed by the Department of Homeland Security, and purchase cyber and privacy insurance.

According to the brief, “Retirement plan sponsors and administrators could utilize the SAFETY Act in one of two ways: (1) by having their internal cybersecurity plans and policies SAFETY Act approved, thereby significantly limiting the possible scope of litigation claims they would face after a cyberattack; or (2) by requiring TPAs to hold SAFETY Act protections, as that would allow retirement plan sponsors and administrators to be dismissed from a broad array of claims alleging negligence or poor performance attributed to the third-party security products and services.”

Most Cyber Attacks Due to Trick Emails, Errors, Not Sophisticated Hacking

Originally posted by Joseph Menn on April 14, 2015 on

When a cyber security breach hits the news, those most closely involved often have incentive to play up the sophistication of the attack.

If hackers are portrayed as well-funded geniuses, victims look less vulnerable, security firms can flog their products and services, and government officials can push for tougher regulation or seek more money for cyber defenses.

But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

These conclusions will be in the minds of executives attending the world’s largest technology security conference next week in San Francisco, a conference named after lead sponsor RSA, the security division of EMC Corp.

In the best-known annual study of data breaches, a report from Verizon Communications Inc. to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry’s term for trick emails.

Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.

“There’s an overarching pattern,” said Verizon scientist Bob Rudis. Attackers use phishing to install malware and steal credentials from employees, then they use those credentials to roam through networks and access programs and files, he said.

Verizon’s report includes its own business investigations and data from 70 other contributors, including law enforcement. It found that while major new vulnerabilities such as Heartbleed are being used by hackers within hours of their announcement, more attacks last year exploited patchable vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.

Another annual cyber report, to be released on Tuesday by Symantec Corp., found that state-sponsored spies also used phishing techniques because they work and because the less-sophisticated approach drew less scrutiny from defenders.

Once inside a system, however, the spies turned fancy, writing customized software to evade detection by whatever security programs the target has installed, Symantec said.

“Once I’m in, I can do what I need to,” said Robert Shaker, an incident response manager at Symantec. The report drew on data from 57 million sensors in 157 countries and territories.

Another troubling trend Symantec found involves the use of “ransomware,” in which hackers encrypt a computer’s files and promise to release them only if the user pays a ransom. (Some 80 percent of the time, they do not decrypt the files even then.)

The new twist comes from hackers who encrypt files, including those inside critical infrastructure facilities, but do not ask for anything. The mystery is why: Shaker said it is not clear whether the attackers are securing the information for resale to other spies or potential saboteurs, or whether they plan on making their own demands in the future.

RSA Conference

At next week’s RSA Conference, protecting critical infrastructure systems under increasing attack will be a major theme. Another theme will be the need for more sharing of “intelligence” about emerging threats – between the public and private sectors, within the security industry, and within certain industries.

While many of the biggest breaches of the past two years involved retailers, the healthcare industry has figured heavily in recent months. Former FBI futurist Marc Goodman said that both spies and organized criminals are likely at work, the former seeking leverage to use in recruiting informants and the latter looking to cash in on medical and insurance fraud.

Verizon’s researchers said that to be most effective, information-sharing would have to be essentially in real time, from machine to machine, and cross multiple sectors, a daunting proposition.


Another section of the Verizon report could help security executives make the case for bigger budgets. The researchers produced the first analysis of the actual costs of breaches derived from insurance claims, instead of survey data.

Verizon said the best indicator of the cost of an incident is the number of records compromised, and that the cost rises logarithmically, flattening as the size of the breach rises.

According to the new Verizon model, the loss of 100,000 records should cost roughly $475,000 on average, while 100 million lost records should cost about $8.85 million.

Though the harder data will be welcome to number-crunchers, spending more money cannot guarantee complete protection against attacks.

The RSA Conference floor will feature vendors touting next-generation security products and anomaly-spotting big-data analytics. But few will actually promise that they can stop someone from clicking on a tainted email and letting a hacker in.

Employer FAQs: Responding to the Anthem Breach

Originally posted February 9, 2015 by The National Law Review - National Law Forum LLC.

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem's CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs) seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). Below are some FAQs about the Anthem breach for affected employers.

Isn't this really Anthem's problem?

From a legal compliance standpoint, the answer largely depends on whether the plan is insured or self-funded. For example, as discussed below, in the case of a self-funded group health plan, the HIPAA breach notification rules place the obligation to notify affected persons on the covered entity (i.e., the plan, and practically the plan sponsor) and not on the business associate (i.e., the TPA). However, contract obligations in the business associate agreement (or administrative services only agreement) have to be considered. Finally, as a practical matter, because employees and other persons covered under the plan(s) will be concerned and have questions, employers will need to have a strategy for addressing those concerns.

Is the information involved subject to HIPAA; the Anthem FAQs say Anthem does not believe diagnosis or treatment information was compromised?

According to the Anthem FAQs:

the member data accessed included names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information...[but its] investigation to date indicates there was no diagnosis or treatment data exposed.

Many maintain the mistaken belief that, in the case of a group health plan, a covered person’s name and social security number, alone, is not “protected health information” (PHI) under the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The absence of diagnosis or treatment data does not make information any less PHI. This is because the regulatory definition includes not only information about a person’s physical or mental health condition, but also how care is paid for and provided. Thus, data elements that relate to the payment or provision of health care, such as address and email address, could constitute PHI even if not as sensitive as a covered person’s diagnosis information.

What about the state breach notification laws, do they apply?

The Anthem breach involves personal information of individuals, such as names, member ID/social security numbers and other data, the kind of information protected by state breach notification laws, which currently exist in 47 states. Given the massive scale of the breach, it is likely that there are affected individuals residing in all 50 states and beyond.

Some of those state laws have exceptions when HIPAA or other federal regulations apply. Some do not. According to the Anthem FAQs, all product lines have been affected, not just health insurance (medical, dental and vision). This includes life, disability, workers compensation and other policies and products which typically are not subject to HIPAA. Thus, regardless of the Anthem policy or product at issue, the applicable state laws will need to be considered to determine their application in this case.

Our plan is/was insured by Anthem, what should we be doing?

Under HIPAA, both the employer’s group health plan under ERISA and the health insurance issuer that provides the insurance for that ERISA plan are covered entities under HIPAA. Covered entities have the primary breach notification obligations. Under state breach notification laws, the primary notification obligation generally falls on the entity that owns or licenses the data, not necessarily the entity that held the data at the time of the incident. However, in the case of a breach experienced by an insurer, and not the employer sponsoring the plan, the insurer generally is considered to be responsible for responding to the breach. Even if not entirely clear in the applicable statutes or regulations, this makes practical sense because the carrier is in control of the investigation and the facts, and usually is in the best position to work with law enforcement. Carriers can typically disseminate notifications more efficiently across the affected policies, as well as to federal and state agencies, and the media.

To date, Anthem appears to be taking the lead on the investigation and notifying affected persons. For example, its FAQs inform members that they can expect to “receive notice via mail which will advise them of the protections being offered to them as well as any next steps”. Because this incident affects both HIPAA-covered and non-HIPAA plans, it is likely the notices will address the applicable HIPAA and state law requirements.

Still, there are some action items for affected employers to consider:

  • Stay informed. Closely follow the developments reported by Anthem, including coordinating with your benefits broker who might have additional information.

  • Consult with counsel. Experienced counsel can help employers properly identify their obligations and coordinate with Anthem as needed.

  • Communicate with employees. Be prepared to respond to employee questions – consider providing a short summary of the incident to employees along with links to the Anthem materials and FAQs.

  • Evaluate vendors. Use this incident as a reason to examine more closely the data privacy and security practices of all third party vendors that handle the personal information of your employees and customers, including insurance companies. Of course, a data breach is generally not a reason, by itself, to switch vendors. With breaches of all sizes affecting many companies, there is no telling whether the grass will be greener. But making inquiries and pressing vendors to do more, including by contract, is a prudent course of action, and even required in some states.

  • Revisit your own data security compliance measures. Employers should take this as an opportunity to assess or reassess their own data security compliance measures. As many have noted, it is not just large companies that are vulnerable to these kinds of attacks.

Our plan is/was self-insured and Anthem was our TPA, what should we be doing?

In this case, whether the plan is a health plan covered by HIPAA or another employee welfare benefit, as TPA, Anthem maintains the personal information of covered persons on behalf of the employer. In that case, Anthem’s legal obligations under HIPAA and state law, as applicable, generally require only that it notify the employer concerning the circumstances of the breach – how it happened, the kind of information breach, who was affected, etc. Then it is up to the employer/covered entity to carry out an appropriate investigation, provide notice to affected persons and otherwise comply with the applicable federal and state laws. However, administrative service agreements and in the case of health plans, business associate agreements, may delegate some of these responsibilities to the TPA, as well as indemnification obligations. So, in addition to some of the steps listed above, employers have a number of things to consider and steps to take:

  • Determine if plans have been affected. Employers might soon be receiving communications from Anthem concerning whether their plans have been affected. They also may want to reach out to Anthem and inquire.
  • Act quickly. HIPAA and state breach notification laws generally require that notices be provided without unreasonable delay, as well as place outside limits on when such notices can be provided – e.g., 60 days following discovery under HIPAA, and 30 days in Florida.
  • Examine the administrative services agreement and/or business associate agreement. For plans have been affected, employers need to review the related agreements as they could place certain obligations either on the employer or Anthem. The agreements also could be silent, in which case the plan/employer likely has the obligations to notify participants, agencies and media.
  • If Anthem is responsible for responding, employers should consider taking certain steps to ensure Anthem’s reaction is compliant – e.g., has it protected data from further attacks, completed the investigation, identified all affected persons, crafted content-compliant notifications (HIPAA and some state laws have specific content requirements), and notified the applicable federal and state agencies.
  • If the employer retained the responsibility to respond, it should be taking steps immediately to determine what happened and coordinate with Anthem concerning the response. This includes some of the steps listed above. For instance, in the case of group health plans under HIPAA, employers will need to confirm with Anthem whether Anthem or the employer/group health plan will be notifying the Department of Health and Human Services. Also, employers that have developed a data breach response plan (a good idea for all employers) should review that plan and follow it.

However, as a practical matter and regardless of what is in the services agreement, Anthem may decide to take the lead on the response, and not give employers much choice in shaping the communications made to persons covered under the plans.

  • Communicate with covered persons. If it turns out that the employer will be notifying plan participants, in addition to the notification letters referred to above, employers also need to be prepared to address participant questions about the incident. Designating certain individuals or outside vendors to handle these questions and creating a script of anticipated questions and answers would facilitate a consistent and controlled response.

  • Evaluate insurance protections. Some employers may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. Employers should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

  • Document steps taken. Employers should document the steps they take to investigate and respond to the incident, particularly if it affects one of their group health plans covered by HIPAA.

    Some employees have complained about our data security practices, how should we respond?

    Take them seriously! Data security has been recognized at the federal, state and local levels as an important public policy concern, most recently by President Obama at the recent State of Union Address. Disciplining or taking adverse action against an employee who has raised these concerns could expose the employer to retaliation claims or violations of employee whistleblower protections.

Undercover investigators score PPACA subsidies

Originally posted July 23, 2014 by Kathryn Mayer on

Undercover investigators using fake identities were able to get health insurance and tax subsidies through the federal exchange under the Patient Protection and Affordable Care Act, underscoring ongoing problems and security issues plaguing the health care law, officials said Wednesday.

The nonpartisan Government Accountability Office said they created 12 identities with fake citizenship and immigration statuses and phony income documents to test how easy (or difficult) it would be to get coverage and subsidies under the law.

The agency said 11 of the fake applicants were accepted, and the HHS-run exchanges rejected just one applicant because it lacked a Social Security number.

Though flagged some attempts as problematic, the fake applicants found more success on phone calls to call centers handling applications.

“For its 11 approved applications, GAO was directed to submit supporting documents, such as proof of income or citizenship; but, GAO found the document submission and review process to be inconsistent among these applications,” the agency said. “As of July 2014, GAO had received notification that portions of the fake documentation sent for two enrollees had been verified.”

Republicans jumped on the latest news, saying it was yet one more flaw in the faulty law.

“Ironically, the GAO has found Obamacare is working really well — for those who don’t exist,” said Senate Finance Committee Ranking Member Orrin Hatch, R-Utah.

The Obama administration said it was taking the report seriously and would work to strengthen the law’s verification process.

The GAO remarked that findings were “preliminary” and they weren’t jumping to any conclusions yet. The agency said it would release a more detailed report in the coming months.

Eight million people signed up for health plans using the exchanges under PPACA.

The GAO report follows PPACA’s latest hurdle: two conflicting court rulings out Tuesday regarding the legality of PPACA subsidies issued to enrollees in the federal exchange.