Cybersecurity Policy Overview
Hunter Benefits Consulting Group (HBCG) recognizes that it is critical to rise to the challenge of defending the security of participant data from threatening actors. Our security considerations include not only the vulnerability of participant personal identifiable information (“PII”), but also the defense of our systems, as well as recovery plans in the event of an incident. We take our duty very seriously and want our clients to feel confident that their plan’s information is protected against the ever-evolving threat of cybersecurity fraud.
HBCG has a comprehensive, robust cybersecurity defense policy. This Overview is intended to provide information regarding the privacy policies and risk mitigation tools we’ve implemented, as well as recommendations on how we can work together to help keep your participants’ personal information safe from unwanted exposure.
Use of Secure Portals and Password Protected Correspondence
HBCG provides all clients with access to a secure portal to allow secure transmission of necessary data between our clients and us.
- We will always use this method to send information to our clients and require them use the portal to send their information to us. Portal use training is available.
- Each client user will be required to have his or her own User ID and password to guarantee only appropriate access to the portal and the data contained therein. When we place information in the portal, we will notify our client’s appointed Primary Contact to ensure receipt of the information.
PII Participant Data Protection
HBCG and its vendors consistently, and regularly, run antivirus scans, maintain cutting edge firewalls, and conduct routine patch management tests. All required software updates recommended by our vendors are immediately implemented in accordance with rigorous IT protocols.
- PII, such as social security numbers, dates of birth, and compensation, is stored within our database, which is designed to withstand an assault from threat actors based on the most current technology available.
- Data stored within our systems will be accessed only by authorized personnel who are required to adhere to all security protocols as part of their employment requirements.
- HBCG keeps abreast of necessary updates to our system and risk response program.
- We regularly review our information system risks and protocols, and work with our IT professionals to consistently improve our threat assessment and response to any possible attack.
Regular Cybersecurity Audits
As recommended by the U.S. Department of Labor, we engage a leading security firm to conduct regular cybersecurity audits to test the integrity of our software system, identify potential weaknesses in our secure files and implement a resiliency program in the event of a data breach.
- We regularly receive a comprehensive report of the audit with recommendations, if any, on any additional security protocols or system improvements to ensure that effective technical controls continue to be in place.
- Any interaction HBCG has with third party service providers, such as document or recordkeeper software vendors, is also reviewed to ensure that the link between the entities is not a point of vulnerability.
- We work with the security firm to develop and maintain an ongoing secure system life cycle program.
As a precaution, and to ensure the strongest response possible in the event of an incident, HBCG maintains cybersecurity insurance. If, despite all reasonable efforts, there were to be an unauthorized access of our client’s PII, this insurance is one part of our response protocol, which includes quick notification to all potentially exposed individuals and provides them with identity theft monitoring and mitigation services. It is our greatest hope that all other prophylactic measures will prevent the need to initiate an insurance claim, but HBCG wants its clients to know that it is taking steps to protect all plan participants.
Verification and Update of Primary Contact
To prevent the sharing of confidential information with persons no longer authorized to communicate with us on our client’s behalf, HBCG requires:
- All clients initially identify a Primary Contact and provide us with that person’s information, including all phone numbers and email addresses.
- When the initial Primary Contact ceases to be the appropriate contact point (such as when they terminate employment with the client), the client must immediately advise us to disable all system access for that contact and to provide a new Primary Contact so we may update our database
- We also require that all clients confirm the Primary Contact on an annual basis
Resilient Response Plan
As part of HBCG’s cybersecurity program, we have a dedicated member of senior management who will follow our documented procedures and is responsible for:
- Coordinating the ongoing security efforts,
- Managing any necessary response to a breach, and
- Responding to a potential disaster or other incident that might disrupt our daily operations.
- Ensures timely recovery and resumption of our IT infrastructure, business applications, and data services.
In the event of a cybersecurity breach, our response plan will mitigate all possible damages by (as applicable):
- Immediately informing law enforcement.
- Notifying our cybersecurity insurer.
- Conducting a thorough forensic investigation of the breach to identify the source.
- Communicating with all affected clients, coordinating our participant notification process, and keeping them informed of the situation.
- Identifying and notifying affected plan participants and providing them with monitoring services.
- Targeting and fixing any vulnerabilities within our system that may have enabled the breach to occur.
Cybersecurity Awareness Training
HBCG engages highly qualified cybersecurity experts to conduct periodic training for our staff,
- It is important for our staff to stay abreast of constantly evolving cybersecurity threats.
- When all personnel are reminded of the proper procedures in the event of an incident it ensures the swiftest response possible when the worst occurs.
- Informed employees more readily spot irregularities and prevent threat actors from gaining improper access to the system.
- The more rigorous our awareness training program, the less likely it is that a threat actor can gain unauthorized access.
While HBCG has taken the above steps to mitigate the possible actions by a threat actor, it is also important for you, our client, as a fiduciary of the plan to take actions to ensure the security of your participant PII data. We highly encourage you to read the U.S Department of Labor’s recommendations on cybersecurity for both Plan Sponsors and Individuals. https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414.
You should also educate your participants on the steps they should take protect themselves. These include (but are not necessarily limited to):
- Use complex passwords and change them frequently
- Take advantage of security features offered by financial institutions
- Beware of phishing scams
- Understand how Social Security, Medicare, and IRS communicates with citizens
- Avoid using public wi-fi
- Be cautious as to what information you post on social media
- Do not share passwords with anyone.
If you have any questions about cybersecurity and your plan, please contact your Hunter Benefits Consulting Group Compliance Consultant.