Federal Board Has a Plan to Secure Health, Retirement Plans from Cyberthreats

A federal board that advises the Labor Department on issues affecting U.S. employee benefit plans intends to issue draft recommendations for tightening up cybersecurity in the nation’s health and retirement plans.

The recommendations aim to help plan sponsors “understand, evaluate and protect benefit plan data and assets from cybersecurity risks,” according to a memo issued by the Advisory Council on Employee Welfare and Pension Benefit Plans.

The council plans to study the cybersecurity considerations of benefits plans during a meeting in Washington, D.C., next month, according to a May 16 Federal Register notice.

This isn’t the first time the council has studied the issue, but it does come amid a spate of hacks of private health insurers in recent years.

“No individual, organization, or industry is immune from cyberthreats, including benefit plans,” council members wrote in the memo. In fact, benefit plans may be particularly vulnerable, as they involve the sharing of data among a number of sources, including administrators, actuaries, auditors and others. “It is critical for plan sponsors and vendors to manage this data with the objective of minimizing exposure to the cyber threats that exist now and will develop in the future,” the memo stated.

Cybersecurity considerations are complicated by the fact that there’s no one-size-fits-all standard, because plans can vary widely in size and complexity. In addition, “most plans do not have unlimited resources to devote to administration,” the memo noted .

Another wrinkle: Retirement plans are held to the “fiduciary standard” that restricts the use of plan assets to paying benefits and “reasonable” administrative costs. The Labor Department hasn’t issued any definitive guidance about how plan administrators can assess a “reasonable approach for cyber readiness” compared to plan assets. And, in fact, the memo says that question is about the scope of the current study.

Instead, the study will focus on “outlining the scalable elements of cyber-risk management strategies for benefit plans,” the memo stated.

The increased focus on cybersecurity comes amid a slew of recent data breaches involving benefits plan.

Last year, The Washington Post called 2015 the “year of the health-care hack,” pointing to breaches at Anthem, which affected some 80 million beneficiaries, and a string of data leaks at other Blue Cross-affiliated health insurance plans last year.

Earlier this year, the Office of Personnel Management announced it would issue new rules to health insurance companies that provide coverage for federal employees for reporting cybersecurity incidents.

There are increasing questions about the vulnerability of retirement accounts:

In 2012, a cyberattack against a contractor for the Federal Retirement Thrift Investment Board exposed account data, including personally identifiable information, on 123,000 account holders. Just last year, auditors for Labor’s Employee Benefits Security Administration pressed the board, which manages federal employees’ 401(k)-style retirement accounts, to speed up fixes for preventing hackers from accessing its systems.