Cybersecurity Attacks are Impacting Retirement Plans
Cybersecurity attacks are beginning to concern prudent fiduciaries. Despite the broad attention being given to the topic of cybersecurity attacks, the majority of companies remain vulnerable to cybersecurity events.
A recent global survey of information technology professionals, conducted by cybersecurity firm Kapersky, found that 91% of companies had been impacted by cybersecurity attacks in the past year. In addition, 45% of those surveyed admitted they were underprepared from a cybersecurity attack standpoint. While the results may be sobering, they aren’t surprising. No company of any size or in any industry is immune from cybersecurity risk. Healthcare, financial services firms, and retail companies may make headlines, but cybersecurity breaches are on the rise across all sectors, including manufacturing, real estate, and construction.
Employers must not forget, workplace retirement plans pose a significant cybersecurity attack risk. They are attractive targets for cybercriminals, and not just because retirement plans contain trillions of dollars in savings. Employer-sponsored retirement plans are home to vast databases of sensitive personal information for millions of hardworking Americans. It is critical for personnel across any organization, from executives on down to the rank-and-file, to recognize that cybersecurity attacks are a company-wide concern. Cybersecurity attacks are no longer just an IT issue.
As such, here are some of the steps businesses can take to prepare for and address cybersecurity attack issues, from an article in BenefitsPro penned by Nicholas M. Cushmore, vice president at Graham Company, an insurance firm:
Prepare in advance. Companies need to develop a cybersecurity attack response plan and ensure there’s buy-in from the C-suite and department heads. The cybersecurity response plan should be updated regularly and contain details and the immediate steps one should take should the company become vulnerable to a cyberattack. The roles and responsibilities of key stakeholders — most likely including representatives from IT, management, legal and communications — should be identified and pre-assigned to maximize rapid response.
Also, consider purchasing a cybersecurity insurance policy, as it provides protection in the event of a cyberattack. Cybersecurity policies help to recover the costs related to an attack, including first- and third-party expenses. In addition, Mr. Cushmore pointed out, cybersecurity policies often offer ancillary services, such as employee training on phishing scams, system vulnerability testing and evaluation of an existing cybersecurity response plan. “Taking advantage of these services should help improve the organization’s cyber posture and possibly prevent an incident in the first place. Ensuring protection with a cyber policy is the wise thing to do and is a critical part of a comprehensive risk management program,” Mr. Cushmore wrote.
Incident response. In the event a cybersecurity attack occurs, all employees involved in the cybersecurity response plan should be notified immediately. The company should then report the attack to the insurance carrier according to the terms of the policy and get pre-approval for any expenses they expect or anticipate incurring. At the same time, the IT department should engage a forensic investigation firm (approved by the insurance carrier) to identify the source of the cybersecurity breach and contain it as quickly as possible.
Once a cybersecurity attack is identified, it needs to be swiftly addressed. The company should assess the breach and communicate damages to appropriate internal and external stakeholders on a “need to know” basis. If it is necessary to engage a public relations firm in a crisis communications capacity to minimize the damage to the company’s reputation, this is an expense that would be covered by a cybersecurity attack insurance policy, Mr. Cushmore explained.
In addition, the company should have a clearly articulated communications strategy, so employees know where to direct any external questions emanating from clients and/or the media. When all stakeholders have been notified, the company can fully focus on recovery efforts, including restoring or recreating any data that was destroyed. Simultaneously, the breached firm needs to identify and work to address any weaknesses in the company’s technology infrastructure. These expenses may or may not be covered by most cybersecurity policies.
Preventing a future attack. While no company wants to go through a cybersecurity breach, there are ways to move forward and mitigate future the likelihood of future cybersecurity attacks. It may seem elementary, however, Mr. Cushmore noted that his firm recommends training employees on information security, such as what to look for in phishing emails and how to create strong passwords. As a practice, companies can send fake phishing emails throughout the company to identify employees who take the bait. This information will prove valuable when designing a follow-up strategy around cybersecurity attack training. Obviously, vulnerable employees who have fallen victim to internal phishing schemes with becoming a high priority for more intensive training. It is equally important for companies to assess the cybersecurity preparedness of third-party vendors – such as marketing or advertising agencies, software vendors or other vendors that do business electronically. Stress-testing the organization’s cybersecurity attack vulnerability is of tantamount importance.
Cybersecurity attacks must be dealt with across an organization. All key personnel should be involved and prepared to help stop a cybersecurity attack or breach. The safest strategy is to maintain a good defense. The more prepared your organization is, and the stronger your cybersecurity attack shield, the more well-protected you’ll be against cybersecurity attacks.