Insider Threats: Are Disgruntled Employees a Cybersecurity Risk?

Most plan sponsors’ cybersecurity concerns are that outside hackers will attempt to get access to their systems, but disgruntled employees can also pose a threat.

The Department of Labor recently updated its cybersecurity guidance to cover all Employee Retirement Income Security Act employee benefit plans, including health and welfare plans, along with retirement plans. That means plan sponsors have much more data to protect.

Fortunately for plan sponsors, employees do not have broad access to critical information such as individual participant account passwords or retirement funds, which sit with recordkeepers and custodial banks, respectively, says Sean Fullerton, a senior investment strategist for the defined contribution team at Allspring Global Investments.

Internal threats account for about 20% of security threats, according to the Verizon 2022 Data Breach Investigations Report, making them rarer than outsider cybersecurity hacks. Jenny Eller, a principal in Groom Law’s retirement services practice group, says in the 25 years she has been practicing law, she had a single anecdote of an employee who tried to commit fraud by creating a dummy account.

Still, certain employees, such as those in human resources, information technology or treasury, may have access to plan information or other personally identifiable information. There are, however, ways to prevent or limit potential damage caused by disgruntled employees.

Limiting Access

The DOL lists a dozen best practices plan sponsors should utilize to protect their employees; chief among them is limiting access to the plan administration. It is also important plan sponsors have written and documented internal control policies, says Julie Doran Stewart, head of fiduciary advisory services at Sentinel Group, an adviser and recordkeeper to plans. Those policies include the steps a company’s HR or IT team needs to take to shut off the access for someone at the organizational level, but they also include timely communication with vendors.

“If we have a client that doesn’t tell us that this happens, then we’re only as good as the information we have,” she says.

Sentinel occasionally audits who is listed as having access to the plans they advise.

“It’s being diligent about double-checking the access points and doing sort of an internal audit, if you will, on both sides, on a periodic basis,” Doran Stewart says.

Fullerton says plan sponsors should also talk to their service providers to understand what standards of information security the providers use and validate the providers’ processes to ensure the plan sponsor is comfortable with how the organizations handle cybersecurity.  

Doran Stewart says checking with vendors should be done periodically and can be as simple as sending an annual due diligence questionnaire to advisers, recordkeepers and third-party administrators to confirm their cybersecurity policies, including specifically asking about access controls.

“The Department of Labor obviously has made this a priority from a fiduciary governance perspective, so they are going to be looking for procedures and records related to that due diligence being done,” Doran Stewart says.

The more people who have access to data or accounts, the more risk there is for fraud, says Tim Rouse, the executive director of the SPARK [Society of Professional Asset Managers and Recordkeepers] Institute, which created many of the cybersecurity best practices the DOL shares.

At the adviser level, Rouse says SPARK is leery of individuals giving advisers access to their accounts and allowing tools like screen-scraping capabilities, which have the potential for abuse.

“Other than communicating those concerns, those decisions come either at the plan sponsor level or at the individual participant’s level,” he says.

Using Technology

Plan sponsors should encourage employees to regularly log into their accounts to keep them secure, especially if it has been more than a year since they have logged in, and to use security tools such as multi-factor authentication, Doran Stewart says. That is especially important if the plan changed recordkeepers, as inactive accounts can be hacked. There may be a misconception among plan participants that if they never log in, the account will be safer, but not setting up controls makes it easier for a bad actor to hack, she adds.

There are opportunities for disgruntled employees at the plan sponsor level to embezzle money before it gets into the account, and internal controls such as audits can also help keep employee funds secure, Rouse says.

Rouse adds that SPARK is working with a committee of third-party administrators to create common file formats for Application Programming Interface, or API, connectivity to establish a more streamlined and efficient way to send data, compared with emailing spreadsheets. An API is also more resilient against cyberattacks.

Using detective controls—which can help spot and respond to security issues—on data usage can alert information technology departments to any unusual data activity, such as someone logging in at odd hours or making large downloads, says Lou Steinberg, founder of and managing partner in CTM Insights LLC, a cybersecurity research lab and funder.

Many employee benefit plans can be accessed using different methods, such as phone, computer or mobile apps, so plan sponsors should make sure both their benefits team and IT department participate in the due diligence process when they meet with vendors.

“Those are two different skill sets … so keeping an open line of communication [about] how they can mutually assist each other … is important,” Doran Stewart says.