Council Foundation Logo Leaders Edge

December 20, 2018

The unpredictability of cyber threats was highlighted in a recent Q&A by the American Institute of Certified Public Accountants (AICPA), where they sought to explore cyber risk in relation to employee benefit (EB) plans. The AICPA highlighted that cyberattacks are often carried out through ransomware and phishing techniques, and provided some real-world examples of cyberattacks involving employee error.

“An email, purported to be from the plan sponsor’s top executive, was sent to the human resources (HR) department requesting sensitive employee data,” the report explained. “HR responded by sending the information before realizing it was a “spear phishing” or “whaling” email from an outside party,” exposing this particular organization to enormous amounts of both data and financial risk.

AICPA also observed that EB plans often present a unique challenge when it comes to protecting data, due to the fact it handles particularly valuable “personally identifiable information” (PII) in addition to electronic protected health information protected under HIPAA. Such a breach in may result in a violation of HIPPA policy, exposing the plan sponsor not only to fines under state and federal cyber breach regulation, but also to litigation under HIPAA.

While our industry can forecast California’s fire season and when the hurricane season poses threats to coastal properties, it’s nearly impossible to predict when, where and how a cyberattack will happen.

According to Symantec’s 2018 Internet Security Threat report, an estimated one in every 131 emails contains malware, the highest recorded rate in about five years. Moreover, a recent Willis Towers Watson Cyber Risk Culture Survey suggests that nearly half of employees believe it is safe to open any email on a work computer, while approximately 90 percent of cyber breach-related claims are traced back to human negligence or behavior, only further emphasizing the importance of adequate employee cyber-risk training.

In a recent CouncilCast, Josh Motta, CEO of cyber MGA Coalition, described cybersecurity as a matter of offense and defense. While the adversary only has to be successful once to penetrate a system or gain access through a malicious email, the defense has to be right 100 percent of the time. As a result, just one click by an employee could lead to devastating consequences.

The global insurer Hiscox painted an even more sobering picture: according to a study, Hiscox performed in October 2018, small businesses in the UK are subject to 65,000 cyberattack attempts a day on average, proving that no company is too small to fly under the radar of cyber criminals.