Payroll provider cyber-attack – how resilient are you?

You’ve probably seen press coverage of recent high profile cyber-attacks targeting outsourced payroll providers.  These highlight the business critical importance of running and maintaining a secure payroll, and the importance of employee data handling across organisations both locally and globally.

This article discusses the latest in a series of attacks, which have impacted payroll data/providers, this time due to a vulnerability in file transfer software. This enabled criminals to access important personal information of multiple companies’ employees in one hit.

This significantly impacted the employee experience and trust in the employer, as well as having reputational impacts and creating potential payroll compliance, cyber, legal and data security issues.

Being able to respond to those cyber, legal and security considerations is the priority. But going forward payroll functions (and other departments handling employee data) also need to ensure they have robust process and controls in place.  This ensures business continuity and the capability to process an accurate, timely and compliant payroll in case of any unexpected events or ongoing investigations.    

What’s the impact of a cyber-attack on payroll?

The immediate impact of a cyber-attack targeting payroll includes:

  • Delays in employees receiving their pay;
  • Compliance failures (such as late payment of local tax and social security, as well as revenue authority reporting);
  • Late payment of third-party liabilities (such as pension contributions, benefit providers etc.); and
  • Potential data protection regulation breaches.

Longer term impacts include:

  • On the effectiveness of your payroll disaster recovery planning (does this need to be reviewed and amended?);
  • Reputational damage both internally with your employees and externally with your customers and other stakeholders;
  • On the appropriateness of your data handling procedures and governance (both internal and external);
  • Where relevant, reviewing payroll vendor service level agreements and key performance indicators;
  • Where relevant, reviewing outsourcing contractual arrangements with all external providers; and
  • Revisiting your current payroll operating model to identify gaps and key changes required to ensure this is fit for purpose and effective going forwards.
  • Potential data regulation breaches leading to possible formal reviews by governing bodies and potentially, penalties levied.

But these potential impacts are just a few of the key concerns and there will be others depending on the specific situation.

This latest attack presents a concern not only to the payroll/HR/Finance function and the broader organisation, but to employers and employees more widely, and raises a number of questions:

  1. Why are we seeing more data breaches from cyber-attacks?
  2. Can anything be done to prevent them?
  3. Whether my payroll is in-house or outsourced, what concerns should I have in respect of my employee data handling?
  4. Is it just payroll that I should be concerned about?

1. Why are we seeing more data breaches from cyber-attacks?

Worldwide, the cyber threat landscape has changed dramatically in recent years.

During the coronavirus pandemic, cyber criminals took advantage of businesses moving to remote working, with the change from working in a cyber protected office space to working remotely with, potentially, vulnerabilities at the connection between home and office systems.

Following on from this, increasing volumes of cyber-attacks continue to threaten businesses and individuals, with attackers continuing to devise new approaches to achieve their objectives. 

2. Can anything be done to prevent them?

Breaking the attack pattern

Preventing, detecting and responding to cyber-attacks at the earliest opportunity limits the business impact –  and the potential for reputational damage.

Even though it’s normally the most motivated attackers who have the persistence to carry out multiple stage attacks, they will frequently use commodity tools and techniques (i.e., that are readily available and interchangeable), which are cheaper and easier for them to use.

So, putting in place security controls and processes that can mitigate commodity attacks will go some way to making your business a more difficult and therefore less attractive target.

Equally, adopting a defence-in-depth approach to managing cyber risks will give your business more resilience to cope with attacks that use more bespoke tools and techniques.

3. Whether my payroll is in-house or outsourced, what concerns should I have in respect of my employee data handling?

Whether your payroll is in-house or outsourced, the first thing to remember is that it remains your responsibility as the employer to ensure that your employees are paid accurately and on time.

It is also your responsibility as the employer to ensure all local tax and social security liabilities are paid to revenue authorities, accurately and on time, regardless of whether you outsource your payroll to a third party.

In addition to this, in the event of any breach of their personal data your employees will no doubt look to you as their employer to manage the issue regardless of who is at fault.

With those responsibilities in mind, due diligence is a must when seeking the best solution for your payroll.

Some initial questions to think about when selecting or reviewing your current payroll provider include:

  • Should an outsourced third party hold bank details and be responsible for transfer of payments or should this be retained in house? If outsourced what software is used in the file transfer and how secure is this?
  • What Malware does my outsourced third party use, how often is this tested and updated?  
  • What is used internally in my company if the activity is completed in-house?
  • What staff privacy policies does my outsourced provider adopt? Do they adopt hybrid working? If so, how can they confirm my payroll data is secure?
  • Is my disaster recovery plan up to date and does it include cyber-attack plans?

In summary, you should be able to demonstrate to your relevant stakeholders that whatever solutions support your employee data handling and payroll, adequate security measures are in place to protect you and your employees’ data. 

4. Is it just payroll that I should be concerned about?

In short, no. 

An organisation captures employee information to maintain records and ultimately pay them each pay period.  However, employee data is also, for example, used to maintain HR records, report to revenue authorities, instruct banks to make payments, enrol employees on pension schemes, reimburse expenses, and post instructions to the accounting software. 

Employee data may be shared with third parties. For example, to support maintenance of benefit or pension schemes or support an external review.  The use of employee related data is broad, and it is an organisation’s responsibility to ensure that it is maintained, used and shared at an appropriate level with the appropriate controls, in a secure manner.  Access to data may not simply be impacted the security of systems, but also how an organisation maintains controls in the physical environment.

  • In light of this, initial questions to consider in relation to your organisation’s employee data handling include:
  • How could your organisation demonstrate that employee data is handled and managed appropriately at all levels?
  • How do you ensure your data governance policy remains current and has input from stakeholders who process, require or handle employee data?
  • How do you know that access rights on all systems holding employee related data, segregation of duties for the systems, and processes associated with the use of employee data are – and remain – appropriate?
  • Where third parties handle data on behalf of your organisation, how do you evaluate and monitor the protocols in place to ensure this data is securely maintained and accessed?

How KPMG can help

Following on from what we have seen of the recent cyber-attacks, now is the ideal time to review your payroll processes, controls and business continuity plans to ensure these are fit for purpose and support compliance.  

There are some immediate actions to consider including:

  • A review of incident and crisis management playbooks that are focused on data exfiltration/ransomware response and notification requirements to regulators and individuals impacted;
  • A crisis scenario simulation to test practical response capabilities;
  • Completing a review of the employee data handling procedures and controls including cyber and data privacy considerations;
  • Reviewing / developing a business continuity and disaster recovery plan;
  • Reviewing the current and future payroll vendor strategy, including Cyber/Legal focus; and
  • Completing a payroll compliance review.

If you would like to discuss how KPMG can provide Cyber, Legal or Payroll support, please do get in touch with Elizabeth Huthman (Cyber), Isabel Simpson (Legal), Emily Salathiel (Payroll Advisory) or Sandra Hurley (Payroll Advisory).

Contact us