COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Cybersecurity is a major concern in the context of employer-sponsored benefit plans because plan participants' financial and personally identifiable information is maintained and shared with multiple parties. To help you assess and mitigate your organization's risk related to safeguarding this information, this article explores some important action steps.
Source: Ajg.com, July 2021
The DOL wants everyone to be attentive to cybersecurity protocols as a fiduciary responsibility, but there's a higher expectation for those "running the systems" according to Tim Hauser, Deputy Assistant Secretary for National Office Operations at the Department of Labor's Employee Benefits Security Administration.
Source: Napa-net.org, July 2021
DOL Provides Cybersecurity Guidance: Meeting Fiduciary Duty, and Avoiding Incorrect Advice to Plan Sponsors
Plan sponsors and fiduciaries have traditionally relied on advisers -- from attorneys to accountants to investment consultants -- to help guide decisions for their retirement plans. For decades, a cornerstone of this assistance has been making recommendations about retirement plan investment portfolios. With the rise of cyberattacks on financial institutions, many plan sponsors and their advisers have started to focus more time and resources on the security of their plan data, including the participant information held by service providers. The DOL also recognized the vulnerability of plans to cyberthreats and recently published three important documents.
Source: Georgetown.edu, July 2021
The focus on cybersecurity implies that the DOL will start to hold plans and their fiduciaries accountable for cybersecurity. Besides the specter of a DOL enforcement action, this guidance should remind plan sponsors that if a cybersecurity breach ever impacts their plan, they need to be prepared. Class action lawsuits that argue that they chose the wrong service provider or that PII was misused or not protected are possible.
Source: Enterpriseiron.com, July 2021
DOL Plan Audits Updated to Include Several Questions About Compliance With Its Cybersecurity Guidelines
The DOL updated its audit inquiries to include probing questions for plan fiduciaries about their compliance with agency cybersecurity guidelines. So, what do those inquiries look like? In short, the DOL is asking plan sponsors to produce: "all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan."
Source: Benefitslawadvisor.com, July 2021
While all businesses have been grappling with cybersecurity challenges for years, cybersecurity has recently come into focus for retirement plans, health and welfare plans, and other ERISA plans due to a new DOL cybersecurity initiative. The DOL has quickly followed up on this guidance by incorporating privacy and cybersecurity requests into its audits of employee benefit plans. This article outlines considerations for plan fiduciaries, including employers and investment or administrative committees, to document that they have followed a prudent process to protect the plan from losses from cybersecurity events and to protect the personal data of participants and beneficiaries.
Source: Kilpatricktownsend.com, July 2021
In light of recent reports of an increase in cybersecurity inquiries by the DOL, retirement plan administrators should accelerate their preparedness strategies for avoiding and addressing cybersecurity attacks against retirement plans. Media outlets are reporting that the DOL has begun asking plan sponsors questions related to cybersecurity policies and procedures.
Source: Debevoise.com, July 2021
Retirement account theft is one of the risks cropping up in the employee benefits community. If you are a plan sponsor or a plan fiduciary, it's important to make sure you've thought about how to address this risk that is now well above the horizon. As an ERISA fiduciary, you play a key role in helping your participants guard against the theft of their accounts at the hand of cybercriminals. Take the steps noted above and stay abreast of developments in this rapidly evolving area.
Source: Plansponsor.com, July 2021
The article discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness. Authors highlight that where regulators previously focused on how companies responded to cyberattacks, they are now focusing more on whether and to what extent victimized businesses were adequately prepared to defend against attacks. They add that if the policies, procedures, and defenses businesses had in place were inadequate, regulators are increasingly pursuing enforcement actions, even in situations where a data breach did not occur or where individual consumers' personal identifying information was not improperly accessed or acquired.
Source: Faegredrinker.com, June 2021
In light of a new DOL audit initiative and increasing cybersecurity threats to ERISA benefit plans, ERISA plan sponsors and fiduciaries should be prepared to answer some important questions: Do the cybersecurity programs of you and your service providers comply with DOL guidance? Do your contracts with service providers include appropriate data protection provisions? Are you and your service providers doing enough to protect your employees and ERISA plan participants?
Source: Pillsburylaw.com, June 2021
The Department of Labor is moving quickly to audit cybersecurity protocols. Businesses that have not yet addressed their cybersecurity practices and compliance plans must do so immediately. Example DOL audit questions provided.
Source: Nixonpeabody.com, June 2021
Companies that sponsor 401k plans have a fiduciary obligation to protect the individual retirement accounts of their employees from cyber theft. Currently, there are approximately 106 million defined contribution plans in the United States, which hold almost $6.3 trillion in employee retirement savings. Unfortunately, over the last couple of years, cyber theft has become an increasing risk for companies that sponsor 401k plans.
Source: Masudafunai.com, June 2021
With participant assets and retirement security on the line, cybersecurity weighs heavily on many retirement plan sponsors' minds. While the recently issued cybersecurity guidance from the DOL provides a roadmap to help prevent cyber threats, the heightened emphasis indicates that cybersecurity will likely remain a DOL focus for years to come. This webinar recording discusses DOL cybersecurity guidance and its impact on plan sponsors, effective approaches to evaluate and monitor plan providers, and the future of information security in the retirement plan space.
Source: Captrust.com, June 2021
Plan fiduciaries and their service providers likely have heard about the DOL's cybersecurity guidance. The Department of Labor's stepping into cybersecurity in this way has left plan fiduciaries with some questions. So, what are plan fiduciaries thinking? Here are snippets of conversations between plan fiduciaries that may provide some insight into that question.
Source: Benefitslawadvisor.com, June 2021
The DOL has begun issuing information and document requests under their new cybersecurity practices initiative, and the requests are probing and indicate serious inquiry by the DOL. News of the DOL beginning this audit program should not come as a surprise. However, it is fair to say that both the pace with which the DOL has begun its audits and the depth and breadth of the initial round of requests is surprising.
Source: Morganlewis.com, June 2021
This first cybersecurity guidance from the EBSA signals its expectations around cybersecurity. Of note is the focus made on vetting and onboarding service providers. These cautions are particularly helpful when considering vendors who have automated protection processes and/or intimate knowledge of their client's IT systems. Plan sponsors and other fiduciaries with existing cybersecurity programs will want to compare their controls and vendor management programs to these three newly issued guidance.
Source: Eyeonprivacy.com, June 2021
The digital world has opened many doors, including some to theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. Read this to find out how plan sponsors can protect themselves and their participants while meeting fiduciary obligations.
Source: Captrust.com, June 2021
Is the personally identifiable information shared with your retirement plan service providers safe? Many providers farm or harvest this data amongst their affiliates or others to market and solicit additional products or services. This gives the appearance that you, as the plan sponsor, endorse these additional products or services. Find out why allowing these practices may put you at risk of accusations of breaching fiduciary duties and what steps you can take to proactively protect yourself and your participants.
Source: Francisinvco.com, May 2021
The US District Court for the Northern District of Illinois handed down a decision in Bartnett v. Abbott Laboratories, dismissing the plaintiff's claims against defendant sponsor fiduciaries in a case involving the theft of $245,000 in the plaintiff's Abbott retirement plan account. Particularly interesting for plan sponsors is the court's discussion of the sponsor fiduciary's standard of care concerning a plan provider's cybersecurity.
Source: Octoberthree.com, May 2021
There's not much new information in the DOL guidance from what had already been suggested by experts; it has issued common-sense best practices that reflect the state of the industry. What is new is that the DOL has laid out thoroughly what it would expect plan fiduciaries to be looking for. "The DOL is saying, 'This is a fiduciary issue, and here's a road map.'"
Source: Plansponsor.com, May 2021
The DOL's new guidance formalized its long-held view that retirement plan fiduciaries must ensure proper mitigation of cybersecurity risks. More specifically, the DOL expects retirement plan fiduciaries to select and monitor the cybersecurity practices of their service providers. Ten key takeaways and next steps.
Source: Employeebenefitsblog.com, May 2021
A Secure System Development Life Cycle Program (SDLC) process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort. The DOL has enumerated best practices in this regard which are outlined here.
Source: Asppa.org, May 2021
Many general business practices that are the essence of sound governance and responsible business practice also are applicable in establishing strong security policies, procedures, guidelines, and standards. The DOL suggests considering several practices outlined here.
Source: Napa-net.org, May 2021
Retirement plans are increasingly subject to cybersecurity issues, and the DOL is taking notice. Also, litigation arising under ERISA involving cybersecurity threats has highlighted a plan administrator's duty to prudently select and monitor service providers. The DOL's best practices guidance includes many specific action points. Several of their recommendations are highlighted here.
Source: Ogletree.com, May 2021
Newly released documents offer plan sponsors, plan fiduciaries, recordkeepers, and plan participants direction for avoiding cyber theft. What you should know.
Source: Pnc.com, May 2021
Given that the majority of plan sponsors and fiduciaries likely already have existing service providers that aid in the administration of their benefit plans, plan sponsors and fiduciaries may consider amending the applicable service agreement to include some or all of the provisions recommended here to the extent there is not sufficient contractual protection under the existing agreement.
Source: Frostbrowntodd.com, May 2021
Because retirement plans hold a significant amount of money and maintain personal participant information, retirement plans are often a desirable target for cybercriminals. Due to the wealth of money and information that retirement plans hold, the DOL states that plan fiduciaries have an obligation to ensure that proper cybersecurity precautions are in place.
Source: Wnj.com, May 2021
The DOL addressed cybersecurity issues, not in the form of an advisory opinion, information letter, or a field advice bulletin, but rather in the form of three documents describing best practices for plan sponsors and plan fiduciaries, service providers to plans, and plan participants. There is no discussion of whether a participant's plan data is a plan asset under ERISA or the relative level of responsibility of a plan sponsor/plan fiduciary and a plan&'s service provider.
Source: Wagnerlawgroup.com, May 2021
The new guidance is intended to complement the DOL's May 2020 regulations on electronic records and disclosures to plan participants and beneficiaries. While the 2020 e-delivery regulations allowed retirement plans to rely on communications of retirement plan updates, benefit statements, and notices to participants and beneficiaries by electronic delivery, there was a recognition that such delivery created an increased risk of cybersecurity attacks. As a result, the DOL provided three sets of recommendations for the different parties involved in sharing sensitive retirement plan information.
Source: Icemiller.com, May 2021
The DOL issued its first cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. As the guidance may be considered a "safe harbor" for fiduciaries to show compliance with their obligations under ERISA, plans should take steps now to review the way plan data is protected and revisit contracts with service providers to incorporate the DOL's recommendations accordingly.
Source: Truckerhuss.com, May 2021
The DOL has spoken "officially" for the first time regarding best practices for ERISA Plan fiduciaries regarding cybersecurity. Let's set the stage for why this is important news, then review the EBSA's suggested "best practices" for ERISA Plan sponsors, fiduciaries, and service providers, as well as plan participants and beneficiaries.
Source: Compliancedashboard.net, April 2021
If you are a service provider, and you have not already realized that your clients are going to start requesting your cybersecurity policy and procedures, this is your wake-up call. But, here's the good news – the DOL has left you a blueprint to follow. In the "Cybersecurity Program Best Practices," the DOL has outlined not only what a service provider should have, such as a formal Cybersecurity Program, but what these documents and best practices should include.
Source: Ferenczylaw.com, April 2021
The clouds have been forming on the horizon for years now: from the courts, we have seen emerging lines of ERISA litigation asserting fiduciary obligations to protect the privacy rights of participants, and from the regulatory agencies we have heard an acknowledgment of the need for guidance regarding fiduciary responsibility for cybersecurity risks. A call to action for plan fiduciaries came last week from the DOL in the form of new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, plan participants.
Source: Benefitsbclp.com, April 2021
The DOL issued new cybersecurity guidance to help retirement plan fiduciaries protect $9.3 trillion in assets held by employer-sponsored retirement plans. The DOL guidance confirms that fiduciaries have an obligation to evaluate the cybersecurity procedures of plan record keepers and other service providers.
Source: Ballardspahr.com, April 2021
In the face of cybersecurity challenges, many plan sponsors and administrators have considered ways to mitigate risk. In recent years, it has been suggested that the DOL should provide its perspective on fiduciary responsibilities for cybersecurity. Until now, the DOL has been largely silent on these matters but has now stepped into the discussion with three pieces of guidance aimed at three different audiences.
Source: Erisapracticecenter.com, April 2021
The DOL has prepared these best practices for use by recordkeepers and other service providers responsible for retirement plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.
Source: Dol.gov, April 2021
As part of its efforts to protect an estimated $9.3 trillion in retirement plan assets from increasing internal and external cybersecurity threats, the DOL has issued its first guidance ever concerning cybersecurity and retirement plans. The guidance is intended for three interested groups with a stake in retirement plan administration: the sponsors and fiduciaries of retirement plans, the entities providing administrative and other services to retirement plans, and plan participants and beneficiaries.
Source: Bradley.com, April 2021
The DOL issued guidance on cybersecurity for the first time to help plan sponsors, fiduciaries, service providers, and participants protect personal information and retirement assets. In the guidance, the DOL identifies evaluating cybersecurity practices as part of the plan sponsor's or other plan fiduciary's duty to prudently select and monitor plan service providers and states that ensuring proper mitigation of cybersecurity risks is a fiduciary obligation. The guidance is provided in three documents.
Source: Benefitsnotes.com, April 2021
The DOL issued much-anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to guide employee benefit plans, shared with the federal DOL some considerations concerning cybersecurity. The essence of the guidance is reviewed here.
Source: Benefitslawadvisor.com, April 2021
Who exactly is responsible if a participant's balance is stolen? While that may not be exactly clear, a recent blog entry suggests that it may be prudent to take steps to protect participants' retirement accounts from cybercrime nonetheless.
Source: Asppa.org, April 2021
DOL Releases Cybersecurity Guidance for Plan Sponsors, Fiduciaries, Service Providers, and Participants
The DOL released a three-part guidance package on cybersecurity for plan sponsors, plan fiduciaries, service providers, and participants. This guidance comes on the heels of the Government Accountability Office report on cybersecurity risks for retirement plans released earlier this year. An EBSA news release accompanies the guidance release.
Source: Ascensus.com, April 2021
DOL officials told GAO that they believe cybersecurity is a serious problem for retirement plans, and the department plans to post sub-regulatory compliance assistance materials addressing related issues for plan sponsors and administrators. But the timing of DOL's coming cybersecurity guidance is uncertain. GAO's report did not recommend legislation, but lawmakers will likely assess the need for action after reviewing the DOL guidance.
Source: Mercer.com, April 2021
Protection of 401k plan participant balances against theft has become a major concern for all employer plan sponsors. What do plan sponsors need to do to meet 401k cybersecurity challenges? Read this to find out.
Source: Lawtonrpc.com, April 2021
Firms that oversee retirement plans hold sensitive data like Social Security numbers. A cyber attack could lead to identity theft or monetary loss for savers. And the DOL hasn't done enough to protect 401k savings and data from cyber attacks, according to a Government Accountability Office report.
Source: Cnbc.com, March 2021
The U.S. Government Accountability Office has released a report examining cybersecurity in private-sector defined contribution retirement plans and exploring how federal guidance can mitigate cybersecurity risks. The agency is asking the DOL to review its guidance on cybersecurity administration. The GAO report starts by reiterating that DC plans, plan sponsors, and their service providers share personally identifiable information and plan asset data, and therefore increase their risks of cyber hacks.
Source: Planadviser.com, March 2021
The GAO concluded that plan sponsors, recordkeepers, and others have little to go on as far as guidelines from the Department of Labor and that it isn't clear whether fiduciaries have the responsibility to minimize cybersecurity risks.
Source: Investmentnews.com (registration may be required), March 2021
Cybertheft Lawsuit: Court Dismisses Fiduciary Breach Claims Against Plan Sponsor for a Second Time/a>
On February 8, 2021, in the latest turn in the saga of a closely-watched ERISA cybersecurity lawsuit, the Northern District of Illinois again dismissed fiduciary breach claims against Abbott Laboratories relating to the cyber theft of $245,000 from a participant’s account in Abbott Laboratories Stock Retirement Plan. The decision marks the second time the court has dismissed claims against Abbott Labs.
Source: Groom.com, March 2021
Theft of 401k account balances by cybercriminals or other types of criminals is an actual thing and they will become more and more popular as long as third-party administrators fail in their role and don't use common sense. The latest lawsuit by Raymond J. Mandli and Mandli Communications, Inc. claims that the TPA, American Trust made an unauthorized distribution in the total amount of $124,105 from Mr. Mandli's plan.
Source: Jdsupra.com, March 2021
Can the plan sponsor be held responsible when an outside service provider honors a suspicious distribution request? Courts are now sorting out the issue of who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests, but every 401k provider service agreement should require the service provider to observe appropriate cybersecurity protocols concerning participant account information.
Source: Gct.law, February 2021
The DOL has simplified the delivery of retirement plan information to participants through its new electronic disclosure rule. Although the E-Delivery Rule promises to expand the use of electronic delivery, retirement plans still retain a fiduciary duty to protect participants' personal information from cybertheft. Thus, retirement plans taking advantage of the new rule may face increased exposure to ERISA fiduciary breach claims alleging inadequate cybersecurity measures. This article discusses the DOL's E-Delivery Rule and the fiduciary considerations applicable to plans that rely on the new rule.
Source: Asppa.org, February 2021
A recently filed lawsuit against a trust company serving as a 401k plan trustee, the second of its kind in the last few months, highlights the need for plan sponsor diligence in protecting participant data and accounts in an increasingly electronic world. Cybersecurity is complex and is a subject that must be considered carefully, deeply, and periodically, just like the selection of investments and other operational issues of the plan you sponsor.
Source: Spotlightonbenefits.com, January 2021
A plan sponsor is suing the trustee for its 401k plan for breaches of fiduciary duties related to a fraudulent distribution from a participant's account made in 2020. American Trust is the trustee for the Mandli Communications 401k Plan and Trust. One of the services it provides to the plan is reviewing and approving all distributions from the plan.
Source: Planadviser.com, January 2021
A new case of 401k theft has led to a lawsuit by the participant, and the plan, against a provider. The suit alleges that on Feb. 14, 2020, "American Trust made an unauthorized distribution in the total amount of $124,105 from Mr. Mandli's Plan account in response to a request for a distribution from an unknown third party."
Source: Asppa.org, January 2021
Plan sponsors should now have on their priority list for 2021 the development of cybersecurity policies and procedures for both the company and the plan. Here are a few key items plan sponsors should consider including as they develop or update their company cybersecurity policy.
Source: Linkedin.com, December 2020
There's been increasing awareness -- and litigation -- regarding cybersecurity and participant accounts and the DOL has taken notice. Sources say that DOL plan audits are now asking to see employers' written cybersecurity policies and procedures and asking about cybersecurity attacks, and the responses to them.
Source: Napa-net.org, December 2020
Plan sponsors might think they can breathe a sigh of relief following a recent decision from U.S. District Judge Thomas Durkin for the Northern District of Illinois. The decision dismissed Abbott Laboratories from a lawsuit related to a cybersecurity theft from an employee’s retirement account, ruling that the plan participant failed to prove that Abbott itself is a fiduciary concerning the alleged failures. But the federal court decision does not let plan sponsors off the hook, and various state laws may be applied to cases against them.
Source: Plansponsor.com, November 2020
Recent reports of 401k thefts and an ongoing concern about cybersecurity should have everybody on the alert. Here are five things you, your plan sponsor clients, and their participants should check out.
Source: Napa-net.org, November 2020
The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers, a key official said Oct. 28. He also expects to see more focus in the department's investigations on the adequacy of various cybersecurity programs, especially for large plans in terms of making sure the providers they hire are observing good cybersecurity practices.
Source: Napa-net.org, October 2020
Plan fiduciaries are now faced with the detailed compliance requirements of ERISA and cybersecurity laws including data breach matters. So, what can fiduciaries do to minimize their cybersecurity liability?
Source: Foley.com, October 2020
For the court, the determinative issue at this stage of the litigation was the fiduciary status of each of the defendants. As described here, the court concluded that Alight was the only defendant sufficiently alleged to be a fiduciary, and thus dismissed all claims against the Abbott Labs defendants but allowed the claims against Alight to move forward. The case highlights the evolving nature of ERISA cyber-security litigation and represents the second case where plaintiffs survived a motion to dismiss alleging that plan service providers were fiduciaries when allegedly failing to prevent cyber fraud from draining participant accounts.
Source: Groom.com, October 2020
The opinion is unique because it raises important questions -- not just about the scope of a TPA's ERISA fiduciary liability for distributing plan benefits that end up in a cyber criminal's pocket -- but whether ERISA plan TPA's can be sued for both ERISA fiduciary breach claims and state law consumer fraud claims resulting from the same alleged misconduct: the failure to enact cybersecurity procedures that prevent the theft of plan assets. The result of the Abbott decision has serious implications.
Source: Wagnerlawgroup.com, October 2020
Recent Cybersecurity Breach Case Proves Risks Are Rife for Both Retirement Plan Sponsors and Service Providers
ERISA became law before the computer age, so there are no provisions in the Act dealing with cybersecurity. Also, there is no formal guidance from the IRS or Department of Labor on cybersecurity responsibilities either, leaving it to the courts to determine responsibilities under ERISA when a cybersecurity breach occurs that results in theft from a participant’s account. This was the case in Leventhal v. MandMarblestone Group LLC, where a plan participant sued his third-party plan administrator and plan custodian after his 401k account was drained by cybercriminals.
Source: Hallbenefitslaw.com, October 2020
The plaintiff named Abbott Labs as a defendant, but the court dismissed these claims on the ground that the plaintiff did not show that Abbott Labs acted as a fiduciary or was identified as a fiduciary in the plan document. No acts were specified that linked Abbott to the alleged theft, and a complaint must allege that Abbott acted in a fiduciary capacity when it took actions that were the basis for the lawsuit.
Source: Cohenbuckmann.com, October 2020
We know fraudsters are looking to exploit elements of the CARES Act that provide retirement plan sponsors the ability to allow in-service distributions, loans, and withdrawals free of fees. The combination of the work-from-home model most workers are experiencing, coupled with the anxiety and emotional distress retirement plan participants could be feeling given market volatility and job losses related to the pandemic provides a ripe target. Here are several tips plan sponsors can share with participants to promote fraud prevention.
Source: 401kspecialistmag.com, October 2020
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.