Corporate financial operations are a logical target for thieving hackers — and thus cyber-security measures in that department are taken with utmost care. But rightly or wrongly, the employee benefits department is perceived by some as the “soft underbelly” in the world of corporate hacking targets, according to Adam Solander, a member of the Epstein Becker Green law firm.
Solander and his colleague Robert Hudock have recently assisted several clients when hackers sought to raid employee 401(k) accounts.
Also see: “
If a hacker has managed to gain enough employee data through a phishing expedition, he can impersonate that individual and initiate a transfer of funds to a local bank; a transaction that would not set off alarm bells as quickly as if an attempt were made to transfer such funds directly to a foreign bank.
The hacker’s strategy is to make the initial transfer to a nearby bank, and from there, to an offshore bank. “We’ve seen hackers try this three or four times this year,” says Hudock. In all but one case, the funds were recovered before being transferred out of the country, however.
Who is responsible?
Although the principal 401(k) recordkeepers have sophisticated cyber-security systems in place, some smaller firms may not. The recordkeeper may — or may not — be responsible for recovering stolen 401(k) funds. “Under most contracts the plan sponsor has to fulfill certain conditions” to be indemnified against losses Solander says.
The service agreement, for example, might establish standards for firewall maintenance and systematic patching of detected vulnerabilities. A failure to do on the employer’s part would take the recordkeeper off the hook in the event of a successful hack.
Also see: “
Sometimes, the hackers live a lot closer to home that one might expect.
In one case Hudock is familiar with, an employee tried to perpetrate a fraud to double his 401(k) assets. “The employee gave his girlfriend his login information, told her to transfer the funds out, then told the employer his account had been hacked,” he recalls. The scam was unsuccessful.
Risk analysis
One might not expect an “inside job” to create such headaches, but employee benefit professionals need to ensure that any companywide hacking risk assessment includes their departments. Or if they are unsure whether they have been covered, they can conduct a risk analysis at their own initiative, Hudock suggests.
Reviewing internal practices could reveal, for example, that department employees with access to sensitive information on occasion transfer some data to their personal laptops to do work at home, thereby potentially creating a major breach in the firewall.
Also see: “
“Most firewalls are good at blocking activity from the outside, but aren’t as good at blocking data being removed from the inside,” Hudock says.
Risk analyses frequently turn up “hidden repositories of sensitive information” that dwells outside the company firewall. “It could be someone in HR collecting data for a legitimate purpose, but if the security people don’t know about it, they can’t protect it,” Hudock warns.
