COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Plan sponsors are taking measures to battle cyberattacks on retirement plan participant data and accounts, but is there anything participants can do to protect them? An approach plan participants are always urged to employ is creating a strong, complex password, along with updating anti-virus malware on personal computers to reflect current models and avoiding links from unknown users.
Source: Plansponsor.com, December 2019
Cybercrime, and cybersecurity, obviously are a concern for plans. But that means more than making sure plan records and accounts are not targets and victims, it also includes other functions, structures, and systems. Experts at the recent SPARK Forum offered insights and tips on heading off cybercrime and protecting the integrity of processes and systems.
Source: Ntsa-net.org, December 2019
A recently filed ERISA action raises troubling questions about the safety of 401k plan participant account assets and the proper allocation of financial responsibility when account assets are stolen. The case alleges that the Estee Lauder 401k Plan, acting through its recordkeeper, Alight Solutions LLC (formerly Hewitt Associates, LLC), processed a series of three unauthorized distributions from the plaintiff's account in the amounts of $12,000, $37,000 and $50,000, respectively, over the course of approximately three weeks.
Source: Psca.org, November 2019
The two areas of cybersecurity defense that sponsors should be mindful of are breaches and fraud. A breach is where there is a compromise to your information systems, and there is a large extraction of data. Fraud is when that data is used to perpetrate a financial crime. Should a breach or fraud occur, a sponsor could be liable if the claimant establishes that it failed to follow a prudent process to safeguard the plan data.
Source: Plansponsor.com, November 2019
The trend of commercial database breaches involving the disclosure of personally identifiable information does not appear to be slowing down. Recent large scale PII breaches of other companies can negatively impact your retirement plan and participants. Cyber criminals are becoming more sophisticated and with the glut of PII available to them, in combination with other techniques such as phishing and malware, retirement accounts are being put at risk of fraudulent access and distribution of funds. As a retirement plan sponsor and fiduciary, there are steps you should take to mitigate the risk of fraud from occurring within your plan.
Source: Newportgroup.com, November 2019
Cybersecurity is a major concern in the context of retirement plans as plan participants' financial and personally identifiable information is maintained and shared across multiple parties. The cybersecurity environment for retirement plans is undergoing significant evolution, and this evolution will accelerate. While the precise fiduciary obligations of plan sponsors with respect to plan and participant information are not yet clearly defined, it is clear that multiple efforts are underway to define those obligations and to respond to the increasing need to strengthen protections.
Source: Ajg.com, November 2019
Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401k clients are asking about cybersecurity issues. Recordkeepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved. It is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing.
Source: Investmentnews.com (registration may be required), Novenber 2019
ERISA was enacted before the computer age, and it has never been amended or interpreted to impose a specific duty on plan fiduciaries to maintain appropriate cybersecurity protections. However, fiduciaries should not have their heads in the sand about this issue. The duties of prudence and loyalty will likely be interpreted to include a responsibility to keep plan assets safe from hackers. A lawsuit recently filed against Estee Lauder Inc, its 401k plan committee, recordkeeper and custodian highlights some security flaws in plan distribution procedures and has the potential to make new law in this area.
Source: Cohenbuckmann.com, October 2019
A former participant in the Estee Lauder 401k plan has sued the plan sponsor and plan providers for failing to safeguard her retirement account. According to the complaint, in September and October 2016, an unknown person or persons stole the participant's retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan.
Source: Planadviser.com, October 2019
A group of seven Republican senators is urging the Senate Majority Leader to act on one of the most consequential pieces of retirement security legislation in more than a decade. "We encourage the Senate to take action on the SECURE Act as soon as possible. Doing so would demonstrate to our constituents that the Senate can lead in a bipartisan way for workers saving for retirement, for tax fairness, and for family financial security," says the Oct. 15 letter.
Source: Napa-net.org, October 2019
In the past, the task of identifying cyber risk of any size organization fell mostly to the Chief Information Security Officer and focused on utilizing the "governance, risk, and compliance" model. The updated model, "integrated risk management," goes beyond technology to include people and process. This article introduces a more formal approach to RIA cybersecurity.
Source: 401kspecialistmag.com, October 2019
Given the potential dollar amounts at stake, plan fiduciaries should monitor evolving cybersecurity threats and industry standards for dealing with them and take steps to avoid potential attacks on their own plans. This 4-page article evaluates the current legal landscape and highlights some best practices for plan fiduciaries to reduce the cybersecurity risks to their plans.
Source: Eversheds-sutherland.com, October 2019
Cyber risks have become a more significant issue in the retirement space in recent years. With many plans using multiple service providers that share large amounts of data, vulnerabilities are evident, and risks are prevalent. Both plan assets and personally identifiable information (PII) are at risk. While completely eliminating these risks is impossible, managing these risks is achievable and is essential to not only following ERISA prudence standards, but simply in serving the best interests of plan participants as well.
Source: Planpilot.com, September 2019
Fiduciaries owe a duty of loyalty to plan participants and must discharge their duties solely in the interest of plan participants and beneficiaries. Ignoring online threats could potentially violate this duty. This article reviews some proactive steps plan fiduciaries can take to protect participant data and account balances.
Source: Shrm.org, August 2019
Many retirement plan fiduciaries do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis. A digital security expert says, "the behavioral and human element of data protection is always the most challenging part."
Source: Plansponsor.com, July 2019
The threat of a cyberattack is prevalent throughout the business world. Given the highly sensitive data held within employee benefit plans, it should come as no surprise that they have become a major target for hackers. Protecting participants’ personally identifiable information is a responsibility no longer limited to IT departments. Plan sponsors, fiduciaries and service providers of all employee benefit plans have an obligation to establish strong information systems practices to help prevent these attacks.
Source: Schneiderdowns.com, June 2019
Cybersecurity has become a prevalent concern in the retirement industry. Surprisingly, many plan breaches are not all due to third-party attackers; rather, it can stem from the misconduct by employees. Therefore, it is in the best interest of plan sponsors to provide guidelines to their participants so these vulnerabilities can be prevented.
Source: Planpilot.com, June 2019
Among a plan sponsor's responsibilities, encouraging and enforcing cybersecurity are not the first tasks that come to mind. But, as modern technology takes over the common workplace, the concept of cybersecurity for retirement plans has started to see attention. Plan sponsors should evaluate providers' cybersecurity practices, but there are also steps they and plan participants can take to safeguard retirement accounts.
Source: Planadviser.com, May 2019
The $5 trillion in retirement plans have become a "tempting target" for hackers to access sensitive information held by plan providers in the industry, so two legislators asked the Government Accountability Office to examine data protections, processes and procedures within the private retirement system.
Source: Workforce.com, May 2019
To a cyber criminal, the retirement plan industry looks like a big candy store with over five trillion dollars in liquid assets. It's up to plan sponsors to not only recognize the risk of cyber crime, but also proactively defend their retirement plans and participants. This article and podcast discusses what plan sponsors and participants can do to protect this important benefit.
Source: Francisinvco.com, May 2019
Cybersecurity risk management is no longer an issue plan sponsors can ignore. Auto-portability may be an answer to one of the 401k plan sponsors' cybersecurity risk management concerns. Yes, cybersecurity risk management solutions may be available via the 401k auto features that knowledgeable retirement plan advisors have been touting for the past 5 years. Surprisingly, the technology that makes 401k auto-portability possible may also enhance existing industry best practices that protect plan participants' personal data.
Source: 401ktv.com, May 2019
Defined contribution plans and their participants are not immune to the threat of cybersecurity breaches. Each data transmission to your recordkeeper or payroll provider, for example, creates risk. Plan sponsors and Retirement Plan Committees should be asking each other, "are we doing all we can to strengthen our retirement plan against cybersecurity breaches by keeping cybercriminals from hacking our participants' accounts?"
Source: 401ktv.com, May 2019
Reading the words "cyber security breach" and "cyber fraud" on the news, email, or in general can alone cause panic. But what constitutes a security breach, and how a recordkeeper should inform a plan sponsor about cyber-related events continue to be unclear throughout the industry. The SPARK Institute's Data Security Oversight Board worked with definitional examples from national cyber standards, international regulations, state privacy laws, and client contracts and gathered insights from the plan consultant representatives on the board.
Source: Planadviser.com, May 2019
Plan sponsors and service providers already take seriously their responsibilities to protect participant data, but where are the lines of responsibilities and accountability in the event of a breach?
Source: Napa-net.org, May 2019
The extent to which individuals should have control over their personal information and the data they generate in the on-line world has seized center stage in our national conversation. A new proposed settlement in Cassell v. Vanderbilt Univ. highlights the importance of these issues in the retirement plan marketplace.
Source: Groom.com, April 2019
There is no definitive answer to the question of whether the sponsor of a benefit plan is subject to the fiduciary standards of ERISA with respect to implementing cybersecurity measures to protect participants' financial data. Acknowledging a complete lack of guidance, a Senate committee sent a letter to the U.S. Government Accountability Office requesting guidance from the GAO on issues related to cybersecurity and the private retirement system.
Source: Truckerhuss.com, April 2019
With everything from pizza deliveries to multi-million dollar deals being handled online, it should come as no surprise that hackers might target you 401k plan. However, security breaches don't stop with an unknown party simply accessing your participants' personally identifiable information. Hacks also can lead to unauthorized withdrawals of funds from 401k plans. This article provides some best practices for avoid this type of costly breach.
Source: Hallbenefitslaw.com, March 2019
A recent FTC Cybersecurity proposal is significant to the retirement plan community for several reasons. First, the Proposal, if finalized, could raise the baseline for plan fiduciaries when developing prudent cybersecurity programs. Second, the Proposal builds on the increased interest in cybersecurity by regulators, Congress, and the states. Expect that other GLBA regulators, such as the banking regulators or the SEC may consider incorporating elements of the Proposal into their own regulations or guidelines.
Source: Groom.com, March 2019
Employee benefit plans typically gather, use, and maintain confidential data about plan participants. Employers, plan sponsors, and fiduciaries must use cybersecurity best practices to protect this information. This article exploreS some cybersecurity techniques applicable to employee benefit plans.
Source: Hallbenefitslaw.com, March 2019
Aon released its 2019 Cyber Security Risk Report, which details the greatest cyber security threats and challenges organizations are currently facing. Among other risk areas shared are expansion of data into mobile devices and sharing of data with third-party vendors and service providers.
Source: Plansponsor.com, February 2019
A letter to Gene Dodaro, Comptroller General of the U.S. Government Accountability Office (GAO), identifies 10 questions federal lawmakers would like the GAO to answer, following its examination.
Source: Plansponsor.com, February 2019
The day starts as any other. A distribution form comes in for processing. It has a participant signature. The spousal consent section is completed and notarized. The Plan Administrator has signed the form. No problem. So, you process the $450,000 in-service distribution and give it no further thought. Three days later, the real participant calls in a panic wondering where his money went. Yikes. As a third party administrator (TPA), what can you do to help thwart this brazen, growing band of thieves? Do you have an obligation to do anything? What if your firm is acting as an ERISA 3(16) delegated fiduciary? Lot of questions, but we have no concrete guidance from any federal agency.
Source: Ferenczylaw.com, February 2019
The retirement industry has no unified cybersecurity approach to protect sensitive data and an amalgam of federal and state regulations don't offer any clear approach for security within the retirement space, industry sources said.
Source: Pionline.com, February 2019
To a cybercriminal, the 401k industry looks like a big candy store with over $5 trillion in liquid assets and largely automated systems. Armed with your name, social security number, date of birth, address and any personal information available on social media, your 401k account is vulnerable. Not surprisingly, since these large-scale data breaches have occurred, industry insiders report a sharp increase in the number of attempts to steal 401k assets. Here are some steps you should take now to protect your 401k assets.
Source: Francisinvco.com, January 2019
The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.
Source: Pensionresearchcouncil.wharton.upenn.edu, December 2018
Retirement plans are a relatively new frontier for cyber fraud, but many in the industry say that such heists are becoming more common. Retirement plans have yet to be the target of the kind of system-wide hacks that make headlines, such as the Equifax breach last year. Still, hackers are getting ever-more sophisticated in their approaches.
Source: Barrons.com, December 2018
Cybersecurity risks, such as phishing techniques, malware and ransomware attacks, facing employee benefit plans are no different than those facing corporations, and in fact, may be even more significant. As a plan sponsor and those charged with governance, you have a responsibility with respect to management and oversight of the plan, including understanding risks to the plan, even risks of cyberattacks.
Source: Schneiderdowns.com, November 2018
Tim Rouse of SPARK, Allison Itami of Groom Law Group, and Ben Taylor of Callan Consulting discuss "Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective" at the 2018 PRC Symposium.
Source: Youtube.com, September 2018
The best way to secure plan participants' information and assets is to establish an effective cybersecurity strategy. Organizational policies and training will ensure cybersecurity understanding and consistent practices across the board. The most effective cybersecurity strategy includes both a prevention plan as well as a response plan of action against a breach.
Source: Planpilot.com, September 2018
Cybersecurity fraud was once a problem reserved for the largest government agencies, credit card companies and banks. However, as these organizations have hardened their security capabilities, fraudsters have shifted their focus to the next tier of banks, as well as financial firms that play in the brokerage, retirement and insurance spaces. Many of these firms are now scrambling to learn from the big banks and quickly implement similar or next generation cybersecurity methods and capabilities.
Source: Newportgroup.com, September 2018
This article outlines reasons employers should consider obtaining cyber insurance, protections that a plan should include, possible drawbacks, and best practices for finding the plan with the appropriate coverage.
Source: Spencerfane.com, August 2018
While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly. More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.
Source: Forbes.com, July 2018
One of the most difficult challenges for plan sponsors is determining where to start in their efforts to defend against increasingly sophisticated cyber attacks. This article is designed to assist plan sponsors with formulating and executing their strategy to protect their information and their assets.
Source: Callan.com, July 2018
This article discusses whether retirement plans are really at risk and, if so, why. It concludes with some helpful hints and practical advice to reduce cybersecurity risks, some of which are tips employers can share with retirement plan participants.
Source: Passwordprotectedlaw.com, July 2018
Employee benefit plans rely on a variety of service providers to administer benefits. Those providers maintain a plethora of participant data and protect plan assets for the benefit of participants. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies -- and their exclusions -- is important for sponsors who are exploring such coverage.
Source: Spencerfane.com, June 2018
The advent of electronic banking, plan administration, and account information access make it possible for cyber criminals to plunder assets, absent protections. Experts at the recent 2018 SPARK Institute National Conference held in National Harbor, MD addressed online threats to financial assets -- virtual, but also very real.
Source: Asppa.org, June 2018
Benefit plans are uniquely susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties. This 5-minute podcast discusses cybersecurity issues impacting employee benefit plans. It reviews the developing legal framework in cybersecurity and outline practical tips that plan sponsors and recordkeepers may use to secure plan data.
Source: Erisapracticecenter.com, June 2018
This 8-page document was prepared by the EBPAQC to help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.
Source: Aicpa.org, May 2018
The U.S. retirement model has become of increasing interest to foreign hackers, typically the perpetrators of large-scale data breaches. However, companies, plan sponsors and plan participants are unaware or underprepared for the ramifications of a cyberattack, experts warn.
Source: Benefitnews.com, April 2018
Retirement plans are notorious targets for these attacks because they involve a high volume of sensitive information that is invaluable to criminals with malicious intent. Plan participant and financial information is generally shared with many different parties, making it more vulnerable to such threats. This article discusses current risks as well as some useful tips for protecting plan participants' information.
Source: Planpilot.com, March 2018
Data security is a major concern for all organizations. There are many elements involved in protecting your own employees’ and your clients’ personally identifiable information. Conducting a self-assessment and developing your organization’s internal policies are a good starting point. But it is important to recognize that the job of data protection will never be complete; there will always be new items to add to your security to-do list.
Source: Cammackretirement.com, February 2018
There is no explicit cybersecurity duty that applies to consultants under ERISA. Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fulfilling their fiduciary duties.
Source: 401ktv.com, February 2018
Cybersecurity is a topic that is routinely grabbing headlines across industries, and employee benefit plans are not immune to the risks of cybercrime. The best efforts to reduce these risks are multi-faceted approaches to protecting sensitive information, with employers, their plan participants, and their benefit providers all working in tandem to safeguard personal data.
Source: Sentinelgroup.com, February 2018
Despite constant advances in available cybersecurity measures, there is no such thing as perfect security, and companies must be prepared to respond to a significant cybersecurity incident at a moment's notice. This article describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.
Source: Cov.com, February 2018
Only 27% of RIAs surveyed by TD Ameritrade suggest that cybersecurity issues, even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.
Source: Planadviser.com, January 2018
Failure to deal with cybersecurity issues could be a fiduciary breach under these rules and fiduciaries could have personal liability for the resulting losses, for example, if hackers are able to steal plan assets or fraudulently obtain distributions online by pretending to be participants. Participants whose personal accounts are hacked might also have claims against fiduciaries who failed to protect their data.
Source: 401ktv.com, January 2018
The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401k accounts and pension funds, whose breach could upend global markets.
Source: Bloomberg.com, January 2018
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.