COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Data breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised personally identifiable information or personal health information. A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers.
Source: Rolandcriss.com, October 2023
To minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission's new cybersecurity rules, should adopt prevention measures against threats, and should be prepared to respond if an attack happens, experts say.
Source: Planadviser.com, October 2023
ERISA needs to catch up with the information age by identifying plan data as a plan asset, resolving the current ambiguity on that point that has led courts to decide otherwise, and developing the related fiduciary duties, argues Michael Schloss of The Wagner Law Group.
Source: Wagnerlawgroup.com, October 2023
Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust, and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers' nest eggs, explains Gregg Levinson, senior director for retirement at WTW.
Source: Plansponsor.com, October 2023
Earle Allen, Principal with CAPTRUST, asked former EBSA Assistant Secretary Preston Rutledge for an idea of what to expect from a DOL cybersecurity audit and how far plan sponsors and advisors should go in preventative measures. Here is the response.
Source: Napa-net.org, October 2023
If there's one big takeaway for plan sponsors following the massive MOVEit cyberattack that breached the personal data of millions of participants in public pension and private-sector workplace retirement plans, it's this: They may need to rewrite their vendor contracts and redouble their monitoring of service providers. While no sponsors have yet been sued, it's not far-fetched to think that they could be, according to legal experts.
Source: Pionline.com, August 2023
Almost 26,000 New York Life customers had their names and Social Security numbers exposed to a data breach, the latest in a massive hack that affected hundreds of companies and millions of Americans. The hack occurred in late May and involved Progress Software, the provider of MOVEit transfer software. MOVEit is used to transfer client data securely.
Source: Napa-net.org, August 2023
Retirement plan providers and advisers should be taking a close look at vendor cybersecurity protocols after a software transfer hack exposed the private data of millions of people, including retirement plan participants, according to industry experts. SPARK Institute members guide how advisers can both prepare for and respond to participant data concerns stemming from the nationwide breach.
Source: Planadviser.com, July 2023
The Tennessee Consolidated Retirement System notified retirees and beneficiaries that their names, Social Security numbers, dates of birth, and mailing addresses had been compromised.
Source: 401kspecialistmag.com, July 2023
If a retirement plan has a business relationship with any service provider that uses, used, or may have used the MOVEit software application or RCH services, the plan should determine what fields or categories of personal information were shared with the service provider(s), and by extension MOVEit or RCH, to determine the impact on the plan and its participants. Any service agreements with the applicable vendors should also be reviewed concerning data breach notification, information reporting, and follow-up obligations of the service provider(s).
Source: Beneficiallyyours.com, July 2023
If it wasn't already clear to plan sponsors and retirement plan advisers, Employee Benefits and Security Administration head Lisa Gomez reiterated this week the importance of cybersecurity and increased protection for participants in a new post providing eight areas for guidance. In her blog post on the Department of Labor website, Gomez laid out various tips plan sponsors and advisers can convey to participants for keeping their information safe.
Source: Plansponsor.com, July 2023
Experts share tips for how plan sponsors can protect themselves from the increasing threat of cybersecurity attacks and evolving litigation.
Source: Planadviser.com, June 2023
Retirement plans are a target today because that is where so much wealth is held by American savers. Therefore it is crucial for retirement plan committees -- and their advisers -- to engage in cybersecurity discussion and reviews as an ongoing part of their work.
Source: Planadviser.com, June 2023
A major cybersecurity breach involves one of the world's largest pension funds. CalPERS announced last week that approximately 769,000 retired members and their families had personal information exposed in a "worldwide data security incident" that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group.
Source: Napa-net.org, June 2023
Retirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans, has alerted more than 10,500 individuals that their data, including individual retirement account numbers, may have been compromised. The organization alerted individuals with written notice, dated May 12, that their information may be at risk for fraud, according to public filings in the states where they are located.
Source: Plansponsor.com, May 2023
At PSCA National just last week, ARA CEO Brian Graff and EBSA Assistant Secretary Lisa M. Gomez discussed a wide range of topics, including the many misunderstandings about cyber liability insurance (which could be a huge fiduciary failure) and the ESG rule.
Source: Napa-net.org, May 2023
A retirement plan participant has dropped a lawsuit filed against Transamerica Retirement Solutions alleging that the retirement plan provider failed to exercise reasonable care in securing and safeguarding personally identifiable information, including names, addresses, Social Security numbers, and retirement fund contribution amounts.
Source: Planadviser.com, March 2023
Because of the scarcity of case law and regulatory guidance on the issues, any case that analyzes the liability of ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized. A recent opinion in the Southern District of New York has widened the scope of liability for potential ERISA defendants in actions seeking to recover fraudulent distributions from ERISA-covered plans. It has also made new legal determinations that, if followed by other courts, will have an impact on future suits by plan participants seeking to recover lost retirement plan money.
Source: Wagnerlawgroup.com, February 2023
It is a growing club that no one wants to join: the club of companies that became victims of cyberterrorism. Whether the release of credit card data from the infamous Target inside job, the gas pipeline shutdown at Colonial Pipeline, or the more recent CNA Financial ransom attack, it is often not a question of "if" a company will be attacked, but "when." Recently, a major software provider to third-party administrators joined this horrible club. The question addressed here is "What should we do about this issue?"
Source: Ntsa-net.org, January 2023
The digital world has opened many doors, including theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. This article reviews how plan sponsors can protect themselves and their participants while meeting fiduciary obligations.
Source: Captrust.com, January 2023
A New York federal district court ruled on December 19, 2022, that a participant in the Colgate-Palmolive defined contribution plan adequately alleged breach of fiduciary duty claims against the plan recordkeeper and the plan fiduciary committee. It is a curious decision that is worth studying to understand whether plan participants have potentially viable claims against the plan recordkeeper and plan fiduciaries when a participant's account is hacked.
Source: Euclidspecialty.com, December 2022
Employer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, and cryptocurrency investing is particularly at risk for scams, according to two financial-focused cybersecurity experts.
Source: Planadviser.com, December 2022
The SPARK Institute released Monday its Plan Sponsor and Advisor Guide to Cybersecurity, laying out its specific data security "Best Practices and seventeen Control Objectives." Developed by its Data Security Oversight Board, SPARK's best practices and control objectives establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity control objectives.
Source: Planadviser.com, November 2022
Recordkeepers and retirement industry consultants are banding together to beef up cybersecurity. A collaborative effort between recordkeepers and consultants leads to updated Data Security Best Practices and a new Plan Sponsor and Advisor Guide to Cybersecurity to strengthen the retirement industry's defenses against cyber criminals.
Source: 401kspecialistmag.com, November 2022
Cybercriminals are creative and resourceful and they're not just after bank accounts. Industry experts in a recent webinar cautioned that retirement plans are in their sights as well. This article outlines some concrete steps that can be taken to address and protect retirement plans against cybercrime.
Source: Ntsa-net.org, October 2022
Cybersecurity breaches concerning workers' personal information and retirement savings have increased liability risks for benefit plans and third-party administrators under federal benefits laws. In February 2021, the GAO issued a report warning about these increased legal risks for ERISA plan fiduciaries due to cyber breaches. The GAO also warned that outsourcing various functions involving retirement plans to third-party administrators could increase the potential for unauthorized access to participants' information. In recent years, the GAO's warnings have become a reality.
Source: Hallbenefitslaw.com, October 2022
It is no surprise that cyberattacks are a grave concern for sponsors of retirement plans. Under ERISA fiduciaries and persons handling funds must be bonded to protect against fraud and dishonesty. This article discusses this required ERISA bond and the interplay of other types of insurance coverage and concludes with a recommendation that Congress amend ERISA to require insurance to address cyber crimes.
Source: Foxrothschild.com, October 2022
Cyber insurance is a critical component of the cyber security risk management program necessary to protect employee benefit plans and participant retirement assets. But the current way plan fiduciaries seek cyber and crime coverage needs to change and this article explains why.
Source: Euclidspecialty.com, October 2022
In Cybersecurity Enforcement Action, Seventh Circuit Rejects Service Provider's Challenges to DOL Subpoena
In an enforcement action involving an administrative subpoena seeking documents from a service provider for employer-sponsored health and retirement plans, the Seventh Circuit held that the DOL's investigatory authority under ERISA is not limited to ERISA plan fiduciaries. The Seventh Circuit also concluded that the subpoena was not too indefinite or unduly burdensome.
Source: Westlaw.com, October 2022
Most of us have heard that a plan participant in the Colgate-Palmolive 401k plan suffered a cyber theft of her entire account balance, and sued the plan fiduciaries, the recordkeeper, and the bank custodian, all three of which are disclaiming fiduciary liability. There has to be a better answer than saying "I’m sorry" to a plan participant who has lost his entire account balance. This article explores these issues after a summary of the case and the positions of each defendant in their respective motions to dismiss.
Source: Euclidspecialty.com, October 2022
Cybersecurity should be top of mind for retirement plan fiduciaries, not only because the risks of a data breach or fraud are on the rise but also because the DOL has begun auditing retirement plans with a focus on cybersecurity. What's the best way for plan fiduciaries to mitigate risks while also demonstrating compliance with recent DOL guidance? Conduct a cybersecurity compliance review. This article outlines best practices for conducting such a review.
Source: Ifebp.org, September 2022
Parties involved in a DOL investigation often ask a simple question: how much information am I obligated to provide the DOL in response to an administrative subpoena? A recent decision, in the United States Court of Appeals for the Seventh Circuit, Walsh v. Alight Solutions, LLC, provides some guidance.
Source: Groom.com, August 2022
The topic of cybersecurity insurance has crept to the top of the charts for the DOL's ERISA Advisory Council. Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose cybersecurity insurance and employee benefit plans as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like cybersecurity insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.
Source: Penchecks.com, August 2022
Cybersecurity is a tech-centric term that often makes business unit leadership's eyes roll. That response is risky because cybersecurity ranks among the most vital issues facing human resources, finance, and administration executives. Employee benefit plan leaders face a new era that requires administration and risk management behaviors that are not part of traditional fiduciary best practice thinking.
Source: Rolandcriss.com, August 2022
Several lawsuits have been filed against plan sponsors and their recordkeepers, including Estee Lauder, Abbott Laboratories, and recordkeeper Alight, as a result of the theft of plan participant assets. Those cases have not resulted in final decisions clearly defining the responsibilities of fiduciaries and service providers, but a newly filed lawsuit against Colgate-Palmolive and Alight provides another opportunity to do so.
Source: Cohenbuckmann.com, July 2022
Cybersecurity is not merely a technology issue. For that reason, fiduciary committees must understand they have a legal duty to protect the personally identifiable information, personal health information, and assets of their employee benefit plans from exposure and to protect electronic systems from exploitation by hackers. Read how some fiduciary committees address the challenge.
Source: Rolandcriss.com, July 2022
A Maryland man was indicted on money laundering charges in early June after he and accomplices allegedly hacked into the 401k account of an employee at a New Jersey-based company. They added a bank account belonging to another individual without the victim's knowledge or authorization.
Source: 401kspecialistmag.com, June 2022
The DOL's cybersecurity investigation into Alight Solutions, a retirement plan recordkeeper, has queued up court rulings on the reach of the DOL's subpoena power that may have important implications for ERISA plan sponsors and their respective recordkeepers and service providers moving forward.
Source: Erisalitigationadvisor.com, June 2022
This learning deck will help you understand the latest guidance on cybersecurity for qualified retirement plans, adapt the tips for hiring a plan service provider, know cybersecurity program best practices for qualified retirement plans, and recognize the role of the financial advisor in cybersecurity.
Source: Fi360.com, June 2022
A consulting firm's data breach has triggered a second class-action lawsuit by an affected participant on behalf of a class of some 2,500,000 individuals. The suit, brought by plaintiff Greg Torrano, claims that 2,537,261 individuals signed up for benefits plans through their employers only to subsequently find out personally identifiable information, including names, birthdates, and Social Security numbers, had been stolen in a data breach.
Source: Ntsa-net.org, May 2022
Employee benefit plans are attractive targets for hackers because they contain sensitive data, including health care information. The article outlines 12 steps to take before and during a data breach to ensure the best possible outcome for your employees and benefit plan participants as well as your organization as a whole.
Source: Ifebp.org, May 2022
The Department of Labor isn't backing down on its cryptocurrency concerns, but a written response to U.S. Sen. Tommy Tuberville includes some comments concerning its application to self-directed brokerage windows. The DOL's April 30 response to Tuberville's letter to Labor Secretary Marty Walsh from Acting Assistant Secretary of Labor Ali Khawar regarding the Compliance Assistance Release on cryptocurrency reiterates the motivation for the release.
Source: Napa-net.org, April 2022
Cyber criminals are as innovative as those who develop and refine the technology they manipulate—and now their targets include the retirement industry. Experts in a recent panel, and also in a report, weighed in on the tricks those criminals use and strategies that can help thwart them.
Source: Asppa.org, April 2022
401k cybersecurity risk exists for all retirement plans. However, having a remote workforce exponentially increases 401k cybersecurity risk. Remote employees present employers with multi-point networking exposure that has grown to be one of the bigger concerns about cybersecurity. The proliferation of remote workers can be traced back to the early stages of the Covid-19 pandemic. A new study shows that employers have work to do when it comes to mitigating 401k cybersecurity risk.
Source: 401ktv.com, April 2022
Cyber insecurity is a serious problem. Only 76% of RIAs hold cyber insurance, leaving 24% unprotected in case of a breach in addition to being exposed to these threats. Of those with cyber insurance, the median coverage amount is only $1 million. These assets and the personal information that come along with them are even more vulnerable due to the numerous parties collaborating on them, from recordkeepers to payroll companies to TPAs to plan sponsors and everyone else in between. To combat these online threats, start by asking questions.
Source: Fiduciarydecisions.com, March 2022
As DOL investigators grapple with applying the Guidance along with their internal resources, it remains unclear whether they will be fixated on requiring in all cases an express designation of a Chief Information Security Officer by all retirement plan sponsors and plan service providers. Of course, it will be important for organizations to clearly define and assign information security roles and responsibilities. The lack of a CISO designation alone should not necessarily mean an organization's data security efforts are rudderless.
Source: Benefitslawadvisor.com, March 2022
With $10 trillion in 401k and other defined contribution retirement assets to safeguard, retirement industry regulators are intensely focused on the issue of cybersecurity. Account consolidation can lower retirement savings cybersecurity risks by minimizing the sheer number of fraud-prone, small-balance retirement savings accounts.
Source: 401kspecialistmag.com, March 2022
In consideration of Data Privacy Day, it is the perfect time to take stock of retirement and health plan information. Here are some questions benefit plans should be asking concerning plan data.
Source: Groom.com, January 2022
401k plans face significant cybersecurity risks for which there is no federal safety net. Service providers are very much on the front line, but plan fiduciaries need to treat cybersecurity with the same high degree of diligence that they exercise with investment decision-making and all other plan administrative matters. The key to mitigating risk is conducting a self-assessment using the Cybersecurity Preparedness Checklist for Plan Fiduciaries and building a strategy around the results of that assessment.
Source: Mcdonaldhopkins.com, January 2022
Technology-empowered threats to the security and confidentiality of retirement plan assets and data are exploding. Current fiduciary management methods largely lack a formal interface with the information technology function and its storehouse of expertise. These two realities demand that fiduciary committees embrace their enterprises' information technology departments in a new era of collaboration.
Source: Rolandcriss.com, January 2022
A district court has enforced an administrative subpoena issued by the DOL seeking an ERISA plan service provider's cybersecurity records. The subpoena is part of an investigation into the service provider after it allegedly processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients.
Source: Hodgsonruss.com, December 2021
With cybersecurity threats getting increasingly sophisticated and costly, plan sponsors can no longer afford to wait to address the threats to their retirement plans. In a Dec. 16 webinar by the Plan Sponsor Council of America, Daniel Aronowitz, Managing Principal with Euclid Fiduciary, and David Levine, Principal at the Groom Law Group, walked webinar participants through the different types of cyberattacks, as well as recent regulatory, legal and industry developments and how plan sponsors can protect themselves.
Source: Asppa.org, December 2021
In a lawsuit, he alleges the retirement plan service provider did not take steps to protect the personal information of participants in plans it serves.
Source: Planadviser.com, December 2021
Failing to adequately address data privacy and security will likely result in a breach of fiduciary duty claim. Knowing there is sensitive data at risk, what should employers, plan administrators and their plans do? This article contains some helpful starting points.
Source: Clarkhill.com, December 2021
The DOL's cybersecurity best practices for plans covered by ERISA makes it clear that plan sponsors, service providers, and participants share responsibility for protecting plan accounts. The adoption and implementation of ERISA cybersecurity policies and procedures will be your best defense against fiduciary litigation and DOL investigations, which are certain to arise in the wake of the DOL's guidance. Here are some tips.
Source: Troutman.com, December 2021
Alight has been sued by retirement plan participants whose accounts were hacked, and the Department of Labor is investigating the provider's practices.
Source: Planadviser.com, December 2021
Shortly after the DOL's Employee Benefits Security Administration issued its cybersecurity guidance for employee retirement plans and updated its audit inquiries to include compliance with these guidelines, a federal court in Chicago ruled an employee benefit services provider must comply with a subpoena requesting, among other things, documents and communications relating to the provider's information security and cybersecurity plans and controls.
Source: Erisalitigationadvisor.com, November 2021
Retirement plan fiduciaries often rely on their service providers to create the electronic systems used to maintain participant data and conduct electronic transactions involving plan assets, so the Department of Labor is paying special attention to these relationships.
Source: Planadviser.com, November 2021
The DOL has become highly focused on the cybersecurity practices of plan sponsors and their service providers and has begun asking comprehensive cybersecurity questions in plan audits. It seems clear the DOL is concerned not just with theft of plan data or assets, but also with the misuse of confidential participant data.
Source: Wagnerlawgroup.com, November 2021
Whatever a particular fiduciary's degree of involvement with cybersecurity may be, the DOL's enforcement initiative should prompt the fiduciary to get ready for the scrutiny of their cybersecurity preparedness and oversight of the preparedness of their defined contribution retirement plan service providers, for example, 401k plan recordkeeper or institutional trustee. Whether a fiduciary has been highly engaged with cybersecurity or not, this is article outlines a fiduciary action plan.
Source: Keightleyashner.com, October 2021
Fiduciaries should complete this checklist for each service provider, for example, a payroll provider, 401k plan recordkeeper and administrative service provider, and an institutional trustee. Neither the DOL guidance nor this checklist ranks or assigns relative importance to the questions and practices it describes. To the extent questions in this checklist are answered in the negative, consideration should be given to potential changes in policy, procedures, contract terms, and/or monitoring, as appropriate. Answering "yes" to questions provides a degree of assurance but is no guarantee that fiduciary conduct would be considered prudent.
Source: Keightleyashner.com, October 2021
Cybersecurity breaches are a growing concern among advisers, and, without sufficient protection, the benefits of America's workers may be at risk. With this challenge in mind, a recent panel discussion hosted by Fi360, a Broadridge company, detailed how to prepare a plan to keep up with current and future risks.
Source: Planadviser.com, October 2021
Benefit plan sponsors and service providers need to take a proactive approach to cybersecurity and be prepared for a possible DOL investigation. Although the immediate attention has been on retirement plans, health and welfare plan sponsors and fiduciaries should also be prepared to field questions about cybersecurity from DOL auditors.
Source: Groom.com, October 2021
Fiduciaries at large, sophisticated plans tend to understand their responsibility and have resources and staff to regularly assess contractors' fraud and data controls. But smaller firms can be left in the dark. As recordkeepers continue to make cyber improvements, they may play an outsized role in helping their smaller clients keep up. One of the things they need to be doing is helping raise awareness to plan fiduciaries that they have this responsibility.
Source: Groom.com, October 2021
Nearly one-third (31%) of retirement plan recordkeepers expect to increase their cybersecurity staff, according to a Cerulli report. Industry stakeholders suggest the threat of retirement account fraud has increased in recent years, particularly during the remote work environment, Cerulli Associates says. And, even though the majority of recordkeepers act in a non-fiduciary capacity, Cerulli points out that courts have suggested that cybersecurity is a shared responsibility.
Source: Planadviser.com, October 2021
In response to an increased threat of retirement account fraud, nearly a third of recordkeepers expect to boost their cybersecurity staff going forward, a new report from Cerulli finds. Even though plan providers have always been subject to cyberattacks, this is an issue that has become more acute in recent years, particularly during the remote work environment when many employees are working on less secure home networks and personal devices during the pandemic.
Source: Napa-net.org, September 2021
The DOL's "Cybersecurity Document Requests" reveal the DOL has been asking for quite an extensive list of documentation. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.
Source: Retirementlc.com, September 2021
The DOL had begun asking cybersecurity questions on some plan audits in 2020 but recently began using a more comprehensive document request in plan audits. The DOL's cybersecurity document request to plan sponsors is broadly stated: "all documents relating to any cybersecurity or information security programs that apply to the data of the plan, whether these programs are applied by the sponsor of the plan or by any service provider to the plan."
Source: Wagnerlawgroup.com, September 2021
Benefit plan sponsors and plan fiduciaries should take note and act quickly. The Department of Labor has issued a new cybersecurity guidance package with far-reaching effects and has already begun including this in its enforcement efforts.
Source: Poynerspruill.com, September 2021
In today's world, most transactions involving retirement plans are conducted electronically, including maintaining and sharing data across multiple platforms. Data and personally identifiable information have become increasingly vulnerable to attack as the information travels across employer and third-party systems. Plan fiduciaries must develop best practices related to cybersecurity. This requires thought and insight and depends on the facts and circumstances. This 12-page paper is an in-depth review of the issue.
Source: Mintz.com, August 2021
Principals with Groom Law Group discuss steps retirement plan sponsors can take to avoid or be prepared for a DOL cybersecurity audit.
Source: Plansponsor.com, August 2021
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.