Corporate financial operations are a logical target for thieving hackers — and thus cyber-security measures in that department are taken with utmost care. But rightly or wrongly, the employee benefits department is perceived by some as the “soft underbelly” in the world of corporate hacking targets, according to Adam Solander, a member of the Epstein Becker Green law firm.
Solander and his colleague Robert Hudock have recently assisted several clients when hackers sought to raid employee 401(k) accounts.
Also see: “Top 5 Cyber Monday safety tips.”
If a hacker has managed to gain enough employee data through a phishing expedition, he can impersonate that individual and initiate a transfer of funds to a local bank; a transaction that would not set off alarm bells as quickly as if an attempt were made to transfer such funds directly to a foreign bank.
The hacker’s strategy is to make the initial transfer to a nearby bank, and from there, to an offshore bank. “We’ve seen hackers try this three or four times this year,” says Hudock. In all but one case, the funds were recovered before being transferred out of the country, however.
Who is responsible?
Although the principal 401(k) recordkeepers have sophisticated cyber-security systems in place, some smaller firms may not. The recordkeeper may — or may not — be responsible for recovering stolen 401(k) funds. “Under most contracts the plan sponsor has to fulfill certain conditions” to be indemnified against losses Solander says.
The service agreement, for example, might establish standards for firewall maintenance and systematic patching of detected vulnerabilities. A failure to do on the employer’s part would take the recordkeeper off the hook in the event of a successful hack.
Sometimes, the hackers live a lot closer to home that one might expect.
In one case Hudock is familiar with, an employee tried to perpetrate a fraud to double his 401(k) assets. “The employee gave his girlfriend his login information, told her to transfer the funds out, then told the employer his account had been hacked,” he recalls. The scam was unsuccessful.
One might not expect an “inside job” to create such headaches, but employee benefit professionals need to ensure that any companywide hacking risk assessment includes their departments. Or if they are unsure whether they have been covered, they can conduct a risk analysis at their own initiative, Hudock suggests.
Reviewing internal practices could reveal, for example, that department employees with access to sensitive information on occasion transfer some data to their personal laptops to do work at home, thereby potentially creating a major breach in the firewall.
Also see: “Top health data breaches caused by hackers.”
“Most firewalls are good at blocking activity from the outside, but aren’t as good at blocking data being removed from the inside,” Hudock says.
Risk analyses frequently turn up “hidden repositories of sensitive information” that dwells outside the company firewall. “It could be someone in HR collecting data for a legitimate purpose, but if the security people don’t know about it, they can’t protect it,” Hudock warns.
Richard Stolz is a freelance writer based in Rockville, Maryland.
Register or login for access to this item and much more
All Employee Benefit Adviser content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access