|
COLLECTED WISDOM™ on Cybersecurity Risks and LiabilitiesThis is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries. This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic. If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Retirement Plan Access and Fraud Prevention ConsiderationsAs a significant investment for many Americans, retirement plan assets are an attractive target for cyber hackers globally. Plan participants need to take common-sense measures to safeguard their accounts. Plan sponsors face the dual challenge of providing online access to participants' retirement plans while keeping their information secure. Implementing and maintaining a proactive cybersecurity strategy is key for both parties. Here are a few items to consider. Source: Spconsultants.com, April 2024
Plaintiffs Request Judge Approve Settlement in ERISA Data Breach LawsuitRetirement plan participants whose personal identifiable information was exposed in a 2021 data breach have asked a Georgia federal judge to approve an $8.733 million agreement to resolve allegations, which claimed national consultant Horizon Actuarial Services LLC failed to safeguard their sensitive data. Source: Plansponsor.com, March 2024
Is Your Plan Cyber-Secure? Fiduciaries and Vendors Face Ongoing ChallengesNo steps will ever provide 100% protection against breaches, but in this article, attorney Carol Buckmann discusses the state of the law, court cases in which participants have sued to get stolen benefits restored, and practical steps that can be taken by the company's fiduciaries to better protect participants and lower the risk of loss. Source: Cohenbuckmann.com, March 2024
401k World: Cyber ThievesWith a quick Google search, anyone can get a sense of the massive amount of money in workplace retirement plans and individual retirement accounts. What may be less known, but not too hard to figure out for hackers, is that retirement plans' unique business model creates multiple potential openings for breaches, according to experts. This article delves into cybersecurity threats to retirement plan assets and the industry's approach to combatting them. Source: Planadviser.com, March 2024
ERISA Fiduciary Concerns Relating to Cybersecurity: Theft of Plan AssetsSince a cyber breach is not a matter of "if," but a matter of "when," fiduciaries of retirement plans should be addressing this risk. This 4-page article discusses the DOL's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries. Source: Foxrothschild.com, January 2024
Canadian Plan Sponsors More Vigilant of Cybersecurity Risks When Dealing With Third-Party Vendors: ExpertData management and transference are key areas of risk for pension plan sponsors as the vulnerability of engaging with third parties creates opportunities for cybercriminals, says Jillian Kennedy, a partner at Mercer. According to an online brief published last year by Ernst & Young, third-party service providers hired by public pension plan sponsors tend to be desirable targets of cybercriminals. Vulnerabilities can be found in plan sponsors' websites and member portals, said the report, noting investment organizations are also at risk due to the handling of investment operations conducted by its staff. Source: Benefitscanada.com, January 2024
ERISA Fiduciary Concerns Relating to Cybersecurity: Part I -- Theft of Plan AssetsSince a cyber breach is not a matter of if it will occur, but a matter of when, fiduciaries of retirement plans should be addressing this risk. This article discusses the Department of Labor's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries. Source: Plusblog.org, December 2023
Retirement Plans and Cybersecurity: Insights for Plan SponsorsWith the increased regulatory focus and greater awareness of cyber vulnerabilities within the retirement plan industry, plan sponsors are looking for ways to meet their fiduciary responsibility in mitigating retirement plan cybersecurity risk. This article covers a few of the currently available ways in which sponsors can address the risk. Source: Berrydunn.com, December 2023
Cybersecurity Triggers a New Paradigm in Vendor MonitoringData breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised personally identifiable information or personal health information. A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers. Source: Rolandcriss.com, October 2023
How to Stay Safe From Evolving Cybersecurity ThreatsTo minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission's new cybersecurity rules, should adopt prevention measures against threats, and should be prepared to respond if an attack happens, experts say. Source: Planadviser.com, October 2023
The Future Is Now for ERISA Fiduciary Duties Around Plan DataERISA needs to catch up with the information age by identifying plan data as a plan asset, resolving the current ambiguity on that point that has led courts to decide otherwise, and developing the related fiduciary duties, argues Michael Schloss of The Wagner Law Group. Source: Wagnerlawgroup.com, October 2023
What's at Risk in a Cyberattack on a DC Plan?Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust, and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers' nest eggs, explains Gregg Levinson, senior director for retirement at WTW. Source: Plansponsor.com, October 2023
Protect Against a Retirement Plan Cybersecurity Breach or Else: DOLEarle Allen, Principal with CAPTRUST, asked former EBSA Assistant Secretary Preston Rutledge for an idea of what to expect from a DOL cybersecurity audit and how far plan sponsors and advisors should go in preventative measures. Here is the response. Source: Napa-net.org, October 2023
MOVEit Cyberattack Ignites Worry About Fiduciary ResponsibilityIf there's one big takeaway for plan sponsors following the massive MOVEit cyberattack that breached the personal data of millions of participants in public pension and private-sector workplace retirement plans, it's this: They may need to rewrite their vendor contracts and redouble their monitoring of service providers. While no sponsors have yet been sued, it's not far-fetched to think that they could be, according to legal experts. Source: Pionline.com, August 2023
New York Life Clients Latest Victims of Massive MOVEit Data BreachAlmost 26,000 New York Life customers had their names and Social Security numbers exposed to a data breach, the latest in a massive hack that affected hundreds of companies and millions of Americans. The hack occurred in late May and involved Progress Software, the provider of MOVEit transfer software. MOVEit is used to transfer client data securely. Source: Napa-net.org, August 2023
Moveit Hack Brings Vendor Assessment to ForefrontRetirement plan providers and advisers should be taking a close look at vendor cybersecurity protocols after a software transfer hack exposed the private data of millions of people, including retirement plan participants, according to industry experts. SPARK Institute members guide how advisers can both prepare for and respond to participant data concerns stemming from the nationwide breach. Source: Planadviser.com, July 2023
Data Breach Impacts Nearly 172,000 Tennessee RetireesThe Tennessee Consolidated Retirement System notified retirees and beneficiaries that their names, Social Security numbers, dates of birth, and mailing addresses had been compromised. Source: 401kspecialistmag.com, July 2023
Multiple Cyber Incidents Impact Employee Benefit Plans and ParticipantsIf a retirement plan has a business relationship with any service provider that uses, used, or may have used the MOVEit software application or RCH services, the plan should determine what fields or categories of personal information were shared with the service provider(s), and by extension MOVEit or RCH, to determine the impact on the plan and its participants. Any service agreements with the applicable vendors should also be reviewed concerning data breach notification, information reporting, and follow-up obligations of the service provider(s). Source: Beneficiallyyours.com, July 2023
DOL Provides Cybersecurity Tips For Plan Sponsors, ParticipantsIf it wasn't already clear to plan sponsors and retirement plan advisers, Employee Benefits and Security Administration head Lisa Gomez reiterated this week the importance of cybersecurity and increased protection for participants in a new post providing eight areas for guidance. In her blog post on the Department of Labor website, Gomez laid out various tips plan sponsors and advisers can convey to participants for keeping their information safe. Source: Plansponsor.com, July 2023
Are Your Clients Insured Against Cyber Threats?Experts share tips for how plan sponsors can protect themselves from the increasing threat of cybersecurity attacks and evolving litigation. Source: Planadviser.com, June 2023
Plan Committees Need Consistent Focus on CybersecurityRetirement plans are a target today because that is where so much wealth is held by American savers. Therefore it is crucial for retirement plan committees -- and their advisers -- to engage in cybersecurity discussion and reviews as an ongoing part of their work. Source: Planadviser.com, June 2023
CalPERS Cybersecurity Breach Affects 769,000 MembersA major cybersecurity breach involves one of the world's largest pension funds. CalPERS announced last week that approximately 769,000 retired members and their families had personal information exposed in a "worldwide data security incident" that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group. Source: Napa-net.org, June 2023
Participant Data Breach Hits Retirement ClearinghouseRetirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans, has alerted more than 10,500 individuals that their data, including individual retirement account numbers, may have been compromised. The organization alerted individuals with written notice, dated May 12, that their information may be at risk for fraud, according to public filings in the states where they are located. Source: Plansponsor.com, May 2023
Plan Sponsors Should 'Definitely' Have Cyber Liability Insurance: Lisa GomezAt PSCA National just last week, ARA CEO Brian Graff and EBSA Assistant Secretary Lisa M. Gomez discussed a wide range of topics, including the many misunderstandings about cyber liability insurance (which could be a huge fiduciary failure) and the ESG rule. Source: Napa-net.org, May 2023
401k Participant Drops Data Breach Suit Against TransamericaA retirement plan participant has dropped a lawsuit filed against Transamerica Retirement Solutions alleging that the retirement plan provider failed to exercise reasonable care in securing and safeguarding personally identifiable information, including names, addresses, Social Security numbers, and retirement fund contribution amounts. Source: Planadviser.com, March 2023
Who's Liable When a Plan Participant Is a Victim of Identity TheftBecause of the scarcity of case law and regulatory guidance on the issues, any case that analyzes the liability of ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized. A recent opinion in the Southern District of New York has widened the scope of liability for potential ERISA defendants in actions seeking to recover fraudulent distributions from ERISA-covered plans. It has also made new legal determinations that, if followed by other courts, will have an impact on future suits by plan participants seeking to recover lost retirement plan money. Source: Wagnerlawgroup.com, February 2023
Responding to a Cyberterrorist AttackIt is a growing club that no one wants to join: the club of companies that became victims of cyberterrorism. Whether the release of credit card data from the infamous Target inside job, the gas pipeline shutdown at Colonial Pipeline, or the more recent CNA Financial ransom attack, it is often not a question of "if" a company will be attacked, but "when." Recently, a major software provider to third-party administrators joined this horrible club. The question addressed here is "What should we do about this issue?" Source: Ntsa-net.org, January 2023
Cybersecurity: Retirement Plan Sponsors Can Protect ThemselvesThe digital world has opened many doors, including theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. This article reviews how plan sponsors can protect themselves and their participants while meeting fiduciary obligations. Source: Captrust.com, January 2023
The Colgate Participant Account Cyber Theft Case Survives DismissalA New York federal district court ruled on December 19, 2022, that a participant in the Colgate-Palmolive defined contribution plan adequately alleged breach of fiduciary duty claims against the plan recordkeeper and the plan fiduciary committee. It is a curious decision that is worth studying to understand whether plan participants have potentially viable claims against the plan recordkeeper and plan fiduciaries when a participant's account is hacked. Source: Euclidspecialty.com, December 2022
More Hackers Going After Retirement Savings, Experts SayEmployer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, and cryptocurrency investing is particularly at risk for scams, according to two financial-focused cybersecurity experts. Source: Planadviser.com, December 2022
SPARK Releases Updated Data Security Best PracticesThe SPARK Institute released Monday its Plan Sponsor and Advisor Guide to Cybersecurity, laying out its specific data security "Best Practices and seventeen Control Objectives." Developed by its Data Security Oversight Board, SPARK's best practices and control objectives establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity control objectives. Source: Planadviser.com, November 2022
SPARK Institute Releases Updated Cybersecurity Standards for Plan Sponsors and AdvisorsRecordkeepers and retirement industry consultants are banding together to beef up cybersecurity. A collaborative effort between recordkeepers and consultants leads to updated Data Security Best Practices and a new Plan Sponsor and Advisor Guide to Cybersecurity to strengthen the retirement industry's defenses against cyber criminals. Source: 401kspecialistmag.com, November 2022
Cybersecurity: Insights and Action StepsCybercriminals are creative and resourceful and they're not just after bank accounts. Industry experts in a recent webinar cautioned that retirement plans are in their sights as well. This article outlines some concrete steps that can be taken to address and protect retirement plans against cybercrime. Source: Ntsa-net.org, October 2022
Cybersecurity Breach Suits Raise Questions About Liability for Benefits PlansCybersecurity breaches concerning workers' personal information and retirement savings have increased liability risks for benefit plans and third-party administrators under federal benefits laws. In February 2021, the GAO issued a report warning about these increased legal risks for ERISA plan fiduciaries due to cyber breaches. The GAO also warned that outsourcing various functions involving retirement plans to third-party administrators could increase the potential for unauthorized access to participants' information. In recent years, the GAO's warnings have become a reality. Source: Hallbenefitslaw.com, October 2022
Is It Time for ERISA to Be Amended to Cover Cyber Crimes?It is no surprise that cyberattacks are a grave concern for sponsors of retirement plans. Under ERISA fiduciaries and persons handling funds must be bonded to protect against fraud and dishonesty. This article discusses this required ERISA bond and the interplay of other types of insurance coverage and concludes with a recommendation that Congress amend ERISA to require insurance to address cyber crimes. Source: Foxrothschild.com, October 2022
Common Myths of Cyber Insurance for Employee Benefit PlansCyber insurance is a critical component of the cyber security risk management program necessary to protect employee benefit plans and participant retirement assets. But the current way plan fiduciaries seek cyber and crime coverage needs to change and this article explains why. Source: Euclidspecialty.com, October 2022
In Cybersecurity Enforcement Action, Seventh Circuit Rejects Service Provider's Challenges to DOL SubpoenaIn an enforcement action involving an administrative subpoena seeking documents from a service provider for employer-sponsored health and retirement plans, the Seventh Circuit held that the DOL's investigatory authority under ERISA is not limited to ERISA plan fiduciaries. The Seventh Circuit also concluded that the subpoena was not too indefinite or unduly burdensome. Source: Westlaw.com, October 2022 401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC. | |||||||
|
About
| Glossary
| Privacy Policy
| Terms of Use
| Contact Us
|
