COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
DOL officials told GAO that they believe cybersecurity is a serious problem for retirement plans, and the department plans to post sub-regulatory compliance assistance materials addressing related issues for plan sponsors and administrators. But the timing of DOL's coming cybersecurity guidance is uncertain. GAO's report did not recommend legislation, but lawmakers will likely assess the need for action after reviewing the DOL guidance.
Source: Mercer.com, April 2021
Protection of 401k plan participant balances against theft has become a major concern for all employer plan sponsors. What do plan sponsors need to do to meet 401k cybersecurity challenges? Read this to find out.
Source: Lawtonrpc.com, April 2021
Firms that oversee retirement plans hold sensitive data like Social Security numbers. A cyber attack could lead to identity theft or monetary loss for savers. And the DOL hasn't done enough to protect 401k savings and data from cyber attacks, according to a Government Accountability Office report.
Source: Cnbc.com, March 2021
The U.S. Government Accountability Office has released a report examining cybersecurity in private-sector defined contribution retirement plans and exploring how federal guidance can mitigate cybersecurity risks. The agency is asking the DOL to review its guidance on cybersecurity administration. The GAO report starts by reiterating that DC plans, plan sponsors, and their service providers share personally identifiable information and plan asset data, and therefore increase their risks of cyber hacks.
Source: Planadviser.com, March 2021
The GAO concluded that plan sponsors, recordkeepers, and others have little to go on as far as guidelines from the Department of Labor and that it isn't clear whether fiduciaries have the responsibility to minimize cybersecurity risks.
Source: Investmentnews.com (registration may be required), March 2021
Cybertheft Lawsuit: Court Dismisses Fiduciary Breach Claims Against Plan Sponsor for a Second Time/a>
On February 8, 2021, in the latest turn in the saga of a closely-watched ERISA cybersecurity lawsuit, the Northern District of Illinois again dismissed fiduciary breach claims against Abbott Laboratories relating to the cyber theft of $245,000 from a participant’s account in Abbott Laboratories Stock Retirement Plan. The decision marks the second time the court has dismissed claims against Abbott Labs.
Source: Groom.com, March 2021
Theft of 401k account balances by cybercriminals or other types of criminals is an actual thing and they will become more and more popular as long as third-party administrators fail in their role and don't use common sense. The latest lawsuit by Raymond J. Mandli and Mandli Communications, Inc. claims that the TPA, American Trust made an unauthorized distribution in the total amount of $124,105 from Mr. Mandli's plan.
Source: Jdsupra.com, March 2021
Can the plan sponsor be held responsible when an outside service provider honors a suspicious distribution request? Courts are now sorting out the issue of who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests, but every 401k provider service agreement should require the service provider to observe appropriate cybersecurity protocols concerning participant account information.
Source: Gct.law, February 2021
The DOL has simplified the delivery of retirement plan information to participants through its new electronic disclosure rule. Although the E-Delivery Rule promises to expand the use of electronic delivery, retirement plans still retain a fiduciary duty to protect participants' personal information from cybertheft. Thus, retirement plans taking advantage of the new rule may face increased exposure to ERISA fiduciary breach claims alleging inadequate cybersecurity measures. This article discusses the DOL's E-Delivery Rule and the fiduciary considerations applicable to plans that rely on the new rule.
Source: Asppa.org, February 2021
A recently filed lawsuit against a trust company serving as a 401k plan trustee, the second of its kind in the last few months, highlights the need for plan sponsor diligence in protecting participant data and accounts in an increasingly electronic world. Cybersecurity is complex and is a subject that must be considered carefully, deeply, and periodically, just like the selection of investments and other operational issues of the plan you sponsor.
Source: Spotlightonbenefits.com, January 2021
A plan sponsor is suing the trustee for its 401k plan for breaches of fiduciary duties related to a fraudulent distribution from a participant's account made in 2020. American Trust is the trustee for the Mandli Communications 401k Plan and Trust. One of the services it provides to the plan is reviewing and approving all distributions from the plan.
Source: Planadviser.com, January 2021
A new case of 401k theft has led to a lawsuit by the participant, and the plan, against a provider. The suit alleges that on Feb. 14, 2020, "American Trust made an unauthorized distribution in the total amount of $124,105 from Mr. Mandli's Plan account in response to a request for a distribution from an unknown third party."
Source: Asppa.org, January 2021
Plan sponsors should now have on their priority list for 2021 the development of cybersecurity policies and procedures for both the company and the plan. Here are a few key items plan sponsors should consider including as they develop or update their company cybersecurity policy.
Source: Linkedin.com, December 2020
There's been increasing awareness -- and litigation -- regarding cybersecurity and participant accounts and the DOL has taken notice. Sources say that DOL plan audits are now asking to see employers' written cybersecurity policies and procedures and asking about cybersecurity attacks, and the responses to them.
Source: Napa-net.org, December 2020
Plan sponsors might think they can breathe a sigh of relief following a recent decision from U.S. District Judge Thomas Durkin for the Northern District of Illinois. The decision dismissed Abbott Laboratories from a lawsuit related to a cybersecurity theft from an employee’s retirement account, ruling that the plan participant failed to prove that Abbott itself is a fiduciary concerning the alleged failures. But the federal court decision does not let plan sponsors off the hook, and various state laws may be applied to cases against them.
Source: Plansponsor.com, November 2020
Recent reports of 401k thefts and an ongoing concern about cybersecurity should have everybody on the alert. Here are five things you, your plan sponsor clients, and their participants should check out.
Source: Napa-net.org, November 2020
The Department of Labor is working on a guidance package addressing cybersecurity issues as they relate to plan sponsors and third-party providers, a key official said Oct. 28. He also expects to see more focus in the department's investigations on the adequacy of various cybersecurity programs, especially for large plans in terms of making sure the providers they hire are observing good cybersecurity practices.
Source: Napa-net.org, October 2020
Plan fiduciaries are now faced with the detailed compliance requirements of ERISA and cybersecurity laws including data breach matters. So, what can fiduciaries do to minimize their cybersecurity liability?
Source: Foley.com, October 2020
For the court, the determinative issue at this stage of the litigation was the fiduciary status of each of the defendants. As described here, the court concluded that Alight was the only defendant sufficiently alleged to be a fiduciary, and thus dismissed all claims against the Abbott Labs defendants but allowed the claims against Alight to move forward. The case highlights the evolving nature of ERISA cyber-security litigation and represents the second case where plaintiffs survived a motion to dismiss alleging that plan service providers were fiduciaries when allegedly failing to prevent cyber fraud from draining participant accounts.
Source: Groom.com, October 2020
The opinion is unique because it raises important questions -- not just about the scope of a TPA's ERISA fiduciary liability for distributing plan benefits that end up in a cyber criminal's pocket -- but whether ERISA plan TPA's can be sued for both ERISA fiduciary breach claims and state law consumer fraud claims resulting from the same alleged misconduct: the failure to enact cybersecurity procedures that prevent the theft of plan assets. The result of the Abbott decision has serious implications.
Source: Wagnerlawgroup.com, October 2020
Recent Cybersecurity Breach Case Proves Risks Are Rife for Both Retirement Plan Sponsors and Service Providers
ERISA became law before the computer age, so there are no provisions in the Act dealing with cybersecurity. Also, there is no formal guidance from the IRS or Department of Labor on cybersecurity responsibilities either, leaving it to the courts to determine responsibilities under ERISA when a cybersecurity breach occurs that results in theft from a participant’s account. This was the case in Leventhal v. MandMarblestone Group LLC, where a plan participant sued his third-party plan administrator and plan custodian after his 401k account was drained by cybercriminals.
Source: Hallbenefitslaw.com, October 2020
The plaintiff named Abbott Labs as a defendant, but the court dismissed these claims on the ground that the plaintiff did not show that Abbott Labs acted as a fiduciary or was identified as a fiduciary in the plan document. No acts were specified that linked Abbott to the alleged theft, and a complaint must allege that Abbott acted in a fiduciary capacity when it took actions that were the basis for the lawsuit.
Source: Cohenbuckmann.com, October 2020
We know fraudsters are looking to exploit elements of the CARES Act that provide retirement plan sponsors the ability to allow in-service distributions, loans, and withdrawals free of fees. The combination of the work-from-home model most workers are experiencing, coupled with the anxiety and emotional distress retirement plan participants could be feeling given market volatility and job losses related to the pandemic provides a ripe target. Here are several tips plan sponsors can share with participants to promote fraud prevention.
Source: 401kspecialistmag.com, October 2020
Abbott Laboratories defendants have been dismissed from a lawsuit alleging failures related to an employee's retirement account theft. District Judge Thomas M. Durkin of the U.S. District Court for the Northern District of Illinois, however, denied recordkeeper Alight Solutions' motion to dismiss.
Source: Planadviser.com, October 2020
Memory fades. But how fast? Within six months, at least regarding cybersecurity protocols, according to a study of how long employees retained the security measures they had learned. Researchers who studied 409 employees found that they were able to identify which emails were legitimate and which were phishing immediately after a security awareness and education program was conducted, and even four months after. But after half a year had elapsed, that was not the case.
Source: Asppa.org, October 2020
The monetary assets of the participant accounts are plan assets, and a plan fiduciary must exercise prudence to protect them from theft, including theft through a cyber breach. Plan sponsors have a fiduciary duty to ensure that their recordkeepers are providing appropriate security measures for protecting plan assets from unauthorized activity. If an employee's personal information has been compromised, or her identity stolen, her retirement accounts are at risk.
Source: Employeebenefitslawblog.com, September 2020
The answer is yes. The assets of 401k and other retirement plans represent a significant financial asset and present an inviting target for cybercriminals. Employers who sponsor these plans are almost always plan fiduciaries and likely targets of suits over unauthorized plan withdrawals. Plan sponsors should consider their cybersecurity protective measures and make sure that plan service providers have taken appropriate steps to secure the confidentiality of participants' personal information.
Source: Gct.law, September 2020
Cybercriminals have become increasingly sophisticated when targeting organizations holding significant assets and personal data. As a result, complaints have been filed and case law is developing that should motivate plan sponsors to satisfy their fiduciary duty to enact prudent procedures and safeguards to protect plan assets and plan data.
Source: Cpajournal.com, September 2020
It is hard to imagine that the drafters of ERISA envisioned a day would come when retirement plans would be administered electronically and distribution of paper notices and disclosures to plan participants might become a thing of the past. However, the retirement industry seems to be swiftly moving that direction. This creates a new liability source for the plan and its service providers.
Source: Wagnerlawgroup.com, September 2020
On April 3, 2020, a participant in the Abbott Corporate Benefits Stock Retirement Plan, Heide Bartnett, filed a complaint against her employer and Alight Solutions, the Plan's contract administrator and recordkeeper, for allegedly processing a fraudulent $245,000 distribution from Ms. Bartnett's Plan account to an unknown person that impersonated her. In response and further demonstrating the lack of clarity on who is liable when a plan suffers a data breach, on June 30, Abbott Laboratories and Alight Solutions pointed fingers at each other in dueling motions.
Source: Wagnerlawgroup.com, September 2020
Although the defined benefit plan may be falling by the wayside, many believe that pensions are still a hotbed for fraud. This belief is due in large part to the general nature of a pension and the large amounts of money accumulated over time that is inaccessible to the intended recipient until some future point in time. Under ERISA, employers and fund managers can be held liable for damages sustained when employees are defrauded of their pension assets.
Source: Eisneramper.com, August 2020
Data and personally identifiable information have become increasingly more vulnerable to attack as it travels on employer and third-party systems. This has been partially due to the recent advancements in plan administration, technology, online enrollment, and electronic access to account information, the electronic delivery of disclosures including benefit statements, as well as benefit plan transaction processing (including self-certifications of distributions). Most transactions involving retirement plans are conducted electronically, including maintaining and sharing data and information across multiple platforms. This article guides plan fiduciaries of retirement plans on developing prudent policies and procedures to secure information and data.
Source: Ebglaw.com, July 2020
In the employee benefit plan landscape, cyber theft of participant accounts is a disaster waiting to happen. Whether or not you are liable as a plan sponsor, is a situation you do not want to be in. Fortunately, there are steps plan sponsors can take to safeguard participant accounts from cyber theft.
Source: Orba.com, July 2020
Based on long-standing ERISA law, it seems likely that plan sponsors will be held accountable for failing to fulfill their fiduciary responsibilities of prudence and loyalty when the vendors they hire allow a breach to occur. However, one reason the law has not been clarified to date is that often these participant claims have been settled quietly. Even a much-publicized lawsuit against Estee Lauder and its plan committee ended up being settled before trial. A pending suit against Abbott Labs could proceed to trial and there have also been two preliminary decisions in another case with the potential to clarify the rules.
Source: Cohenbuckmann.com, July 2020
The widespread move to remote work in light of the COVID-19 pandemic means plan sponsors should take a careful look at their cybersecurity measures. To drive the urgency home, lawsuits alleging cyberfraud negligence have been on the rise. MandMarblestone Group, Nationwide, Abbott Laboratories, Alight Solutions, and Estee Lauder have all faced litigation in the past year.
Source: Plansponsor.com, July 2020
A federal grand jury on Tuesday indicted an Orange County, California man on charges that he fraudulently obtained access to Boeing employees' retirement accounts. The man is accused of siphoning their money by making hundreds of thousands of dollars' worth of fraudulent money transfers to himself.
Source: 401kspecialistmag.com, July 2020
Further demonstrating the lack of clarity on who is liable when a plan suffers a data breach, on June 30th, Abbott Laboratories and Alight Solutions pointed fingers at each other in dueling motions to dismiss a complaint that alleged both were fiduciaries in connection with a plan data breach that stole $245,000 from a participant's plan account. The Northern District of Illinois will now have to decide if, based on the complaint's allegations, either Abbott or Alight (or both) could have (i) fiduciary responsibility concerning the theft of funds from the participant's account and whether (ii) the plan participant has pled a plausible claim of fiduciary breach.
Source: Wagnerlawgroup.com, July 2020
The increased flow of electronic communications risks the potential exposure of participants' confidential and personal data to cybercriminals and, in turn, creates a new liability source for the plan and its service providers. The procedures many plan sponsors, third-party administrators, and recordkeepers currently have in place to exchange data or manage and verify participant withdrawals may no longer be prudent or feasible. Because of the urgency in dealing with this problem, the time is now for plan sponsors, plan fiduciaries, and plan service providers to address and reevaluate cybersecurity concerns, to ensure they and their participants will not fall victim to fraud, hacking or phishing schemes.
Source: Wagnerlawgroup.com, June 2020
Plan sponsor employers and employees participating in 401k or other retirement plans should be aware of cybersecurity breaches and unauthorized plan distributions. The heightened level of plan distributions coupled with the security risks associated with electronic communications and the "new normal" of working remotely, sometimes on personal computers, may increase the exposure of participants' confidential and personal data to cybercriminals. While employees may envision their 401k plans as safely tucked away for retirement, their accounts may be vulnerable to cyber fraud.
Source: Gtlaw.com, June 2020
Across the retirement industry, technology and digitization are delivering significant enhancements for participants and plan sponsors. Benefits include personalization, automation, and data analytics. But the increasing usage and reliance on technology come at an additional cost, cybersecurity. A recently filed ERISA lawsuit underscores the importance that cybersecurity plays in the fiduciary process, both for plan sponsors and service providers, and could serve as a harbinger of things to come.
Source: Greenspringadvisors.com, June 2020
Court Decision Highlights the Dangers of Cybersecurity Breaches for Both Plan Sponsors and Plan Service Providers
The Leventhal decision comes against the backdrop of our current economic climate that, to be sure, raises the stakes for retirement plan cybersecurity. Plan sponsors are operating in a novel environment, where more employees are working remotely than ever before, many of their participants might be furloughed or unemployed, and the CARES Act makes it more accessible and attractive for employees to withdraw from their 401k plans. The collision of these factors makes securing participant retirement accounts all the more vital. The Leventhal case highlights the importance of protecting against cybersecurity breaches amid these unusual times.
Source: Wagnerlawgroup.com, June 2020
Jess Leventhal, The Leventhal Sutton & Gornstein 401k Profit Sharing Plan, and Leventhal Sutton & Gornstein, Attorneys at Law sued MandMarblestone Group and Nationwide for breach of contract, breach of fiduciary duty under the ERISA and negligence related to cyberfraud against Jess Leventhal's plan account. A federal judge previously moved forward ERISA claims against retirement plan providers and has recently allowed for a counterclaim by the providers against the plan sponsor.
Source: Planadviser.com, May 2020
Without substantive regulatory guidance and taking into account the increasing threat of cyber criminality to retirement plans, plan sponsors should establish, evaluate, and test their cybersecurity protocols. Plan sponsors might want to take a conservative approach and assume that ERISA's duties of loyalty and prudence do indeed apply to participants' identification data and their plan benefits in case the DOL or the courts conclude such information do constitute plan assets for purposes of ERISA.
Source: Wagnerlawgroup.com, May 2020
When the actual funds in an individual's retirement account are stolen, ERISA's fiduciary protections will apply, and HIPAA responsibilities will also apply if the breach involves unauthorized access to Protected Health Information. The question then becomes, who will be liable when plan assets are stolen and what do fiduciaries need to do to protect themselves from liability.
Source: 401kspecialistmag.com, May 2020
In today's world, the money isn't in the banks. It's in retirement plans. And smart thieves don't crack safes or use dynamite. They steal identities and use the internet. In our current stay-safe-at-home policies, we have never seen retirement accounts more at risk today than ever before. It's not that the plan sponsors are lax. It's that their employees may be.
Source: Fiduciarynews.com, April 2020
Abbott, as the plan sponsor, is a fiduciary and was responsible for supervising Alight's procedures for safeguarding plan assets, yet the complaint provides no information about what Abbot did or did not do to monitor Alight. Abbott may also have breached its duties of loyalty and prudence by its failure to hire a vendor with adequate internal procedures. In that event, Abbott and its fiduciaries would also be required to restore the loss.
Source: Cohenbuckmann.com, April 2020
A recently-filed lawsuit describes in specific detail the efforts cybercriminals often take to pilfer assets from retirement accounts. As a complaint, the filing provides only the plaintiff's version of what happened, and we have not yet heard from the defendants. But the complaint is particularly interesting in its description of how the theft occurred and may point to some useful approaches to try to reduce future fraud.
Source: Groom.com, April 2020
When Heide Bartnett went to the mailbox in January 2019 and opened up her 401k statement, she expected to see a robust balance. Instead, she saw lines of zeros and an unauthorized $245,000 withdrawal. She filed a federal lawsuit in Chicago against Abbott and Alight Solutions alleging they failed to protect her retirement savings plan and seeking to recover the $245,000 plus damages. While Bartnett's lawsuit is focused on a single alleged victim, the problem of 401k cyberfraud is widespread, experts say.
Source: Chicagotribune.com, April 2020
Plan sponsors and their fiduciaries should consider taking proactive steps to protect their participants and their plan assets. This article reviews retirement plans cybersecurity best practices plan sponsors should consider adhering to safeguard against cyberattacks.
Source: Planpilot.com, March 2020
Plan fiduciaries have numerous responsibilities under the law when administering programs and handling participant funds and benefits, including the responsibility to make sure the technology they choose to use is secure. A cybersecurity breach, especially one that exposes personal identification information or leads to a loss of funds, can create significant liability for the plan. Here's what you should do.
Source: Hallbenefitslaw.com, March 2020
Cybersecurity has emerged as a top issue for retirement specialist advisors, 80% rate data security/cybersecurity very important, deeming it the single most important factor when evaluating recordkeepers. At the same time, it represents a growing concern and significant expense for plan providers, particularly recordkeepers and third-party administrators.
Source: Cerulli.com, March 2020
Fraudulent distribution requests are on the rise and it is not always clear who is responsible and/or who is at fault for security breaches that deplete an unsuspecting participant’s retirement savings. Data privacy is an emerging concern for ERISA plan fiduciaries and service providers alike, do you know where your liabilities are?
Source: Asppa.org, March 2020
A former participant in the Estee Lauder 401k plan (who sued the plan sponsor and plan providers for failing to safeguard her retirement account), the plan's recordkeeper Alight Solutions, and Estee Lauder have filed a Notice of Settlement in the U.S. District Court for the Northern District of California. Details of the settlement in the first case of its kind to call into question the cybersecurity defenses a plan sponsor and its providers had in place for retirement account fraud have not yet been revealed.
Source: Plansponsor.com, March 2020
Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own, they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.
Source: Planadviser.com, February 2020
While transitioning to a modern communication format to increase convenience and lower costs sounds very attractive, plan sponsors have a fiduciary responsibility to ensure that participants' data are protected. The proposed rule remains vague regarding data protection requirements, simply stating that plan administrators must take reasonable measures to ensure confidential information is safeguarded.
Source: Bdo.com, February 2020
Sometimes what you don't know is as important as what you know. The responsibility to protect plan data falls on three parties, according to Bruce Ashton: (1) service providers; (2) plan sponsors/fiduciaries; and (3) participants. "Much of the scrutiny regarding cybersecurity will fall on you as service providers," he remarked.
Source: Asppa.org, February 2020
Your friend's Facebook account was hacked, your neighbor was part of the Equifax data breach, your client's credit card was charged fraudulently, but never do you think it could happen to you. Well, it could. This article shares a story about a near personal identifiable information mishap and a new marketing idea on how you can approach prospects to win more retirement plan business.
Source: Napa-net.org, January 2020
Cybersecurity has been a growing concern across all parts of life in the digital age. Plan sponsors need to understand how vulnerable retirement plan and participant data is to cyberattacks, and know what they, providers and participants can do to mitigate the risk.
Source: Plansponsor.com, December 2019
Cybersecurity: What Plan Participants Can Do to Protect Their Accounts and How Plan Sponsors Can Help
Retirement plan providers invest significant resources to protect participant accounts from cyber theft. Yet, security vulnerabilities can still be exploited if participants are not proactively engaged in protecting their own accounts. Covered here are some things plan sponsors can do to help plan participants understand the importance of and, more importantly, take action to bolster their account security.
Source: Fiallc.com, December 2019
Criminals attempting to steal employees' benefits is not a new issue. However, the means by which they commit such crimes have changed with the advancement of technology and how benefits are paid. Two recent cases alleging breach of fiduciary duty under ERISA in connection with the distribution of participant account balances in DC plans highlight the compliance and litigation risks associated with plan losses. This article provides an in-depth analysis of these cases.
Source: Groom.com, December 2019
Imagine you have a plan participant who suddenly finds that $99,000 has been stolen from her account by a hacker. Her only notice was confirmations she received after the money had been stolen. Now imagine that you are that participant. These are the facts of an actual lawsuit recently filed by a plan participant who was a victim of cyber theft. The plan fiduciaries and recordkeeper refused to reimburse her losses, and her retirement account literally disappeared. Is anyone legally responsible to make up this kind of loss? If you are a plan sponsor or other plan service provider whose systems permitted this breach, you may well be, and you need to pay attention to maintaining and improving your system's security.
Source: Penchecks.com, December 2019
Plan sponsors are taking measures to battle cyberattacks on retirement plan participant data and accounts, but is there anything participants can do to protect them? An approach plan participants are always urged to employ is creating a strong, complex password, along with updating anti-virus malware on personal computers to reflect current models and avoiding links from unknown users.
Source: Plansponsor.com, December 2019
Cybercrime, and cybersecurity, obviously are a concern for plans. But that means more than making sure plan records and accounts are not targets and victims, it also includes other functions, structures, and systems. Experts at the recent SPARK Forum offered insights and tips on heading off cybercrime and protecting the integrity of processes and systems.
Source: Ntsa-net.org, December 2019
A recently filed ERISA action raises troubling questions about the safety of 401k plan participant account assets and the proper allocation of financial responsibility when account assets are stolen. The case alleges that the Estee Lauder 401k Plan, acting through its recordkeeper, Alight Solutions LLC (formerly Hewitt Associates, LLC), processed a series of three unauthorized distributions from the plaintiff's account in the amounts of $12,000, $37,000 and $50,000, respectively, over the course of approximately three weeks.
Source: Psca.org, November 2019
The two areas of cybersecurity defense that sponsors should be mindful of are breaches and fraud. A breach is where there is a compromise to your information systems, and there is a large extraction of data. Fraud is when that data is used to perpetrate a financial crime. Should a breach or fraud occur, a sponsor could be liable if the claimant establishes that it failed to follow a prudent process to safeguard the plan data.
Source: Plansponsor.com, November 2019
The trend of commercial database breaches involving the disclosure of personally identifiable information does not appear to be slowing down. Recent large scale PII breaches of other companies can negatively impact your retirement plan and participants. Cyber criminals are becoming more sophisticated and with the glut of PII available to them, in combination with other techniques such as phishing and malware, retirement accounts are being put at risk of fraudulent access and distribution of funds. As a retirement plan sponsor and fiduciary, there are steps you should take to mitigate the risk of fraud from occurring within your plan.
Source: Newportgroup.com, November 2019
Cybersecurity is a major concern in the context of retirement plans as plan participants' financial and personally identifiable information is maintained and shared across multiple parties. The cybersecurity environment for retirement plans is undergoing significant evolution, and this evolution will accelerate. While the precise fiduciary obligations of plan sponsors with respect to plan and participant information are not yet clearly defined, it is clear that multiple efforts are underway to define those obligations and to respond to the increasing need to strengthen protections.
Source: Ajg.com, November 2019
Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401k clients are asking about cybersecurity issues. Recordkeepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved. It is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing.
Source: Investmentnews.com (registration may be required), Novenber 2019
ERISA was enacted before the computer age, and it has never been amended or interpreted to impose a specific duty on plan fiduciaries to maintain appropriate cybersecurity protections. However, fiduciaries should not have their heads in the sand about this issue. The duties of prudence and loyalty will likely be interpreted to include a responsibility to keep plan assets safe from hackers. A lawsuit recently filed against Estee Lauder Inc, its 401k plan committee, recordkeeper and custodian highlights some security flaws in plan distribution procedures and has the potential to make new law in this area.
Source: Cohenbuckmann.com, October 2019
A former participant in the Estee Lauder 401k plan has sued the plan sponsor and plan providers for failing to safeguard her retirement account. According to the complaint, in September and October 2016, an unknown person or persons stole the participant's retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan.
Source: Planadviser.com, October 2019
A group of seven Republican senators is urging the Senate Majority Leader to act on one of the most consequential pieces of retirement security legislation in more than a decade. "We encourage the Senate to take action on the SECURE Act as soon as possible. Doing so would demonstrate to our constituents that the Senate can lead in a bipartisan way for workers saving for retirement, for tax fairness, and for family financial security," says the Oct. 15 letter.
Source: Napa-net.org, October 2019
In the past, the task of identifying cyber risk of any size organization fell mostly to the Chief Information Security Officer and focused on utilizing the "governance, risk, and compliance" model. The updated model, "integrated risk management," goes beyond technology to include people and process. This article introduces a more formal approach to RIA cybersecurity.
Source: 401kspecialistmag.com, October 2019
Given the potential dollar amounts at stake, plan fiduciaries should monitor evolving cybersecurity threats and industry standards for dealing with them and take steps to avoid potential attacks on their own plans. This 4-page article evaluates the current legal landscape and highlights some best practices for plan fiduciaries to reduce the cybersecurity risks to their plans.
Source: Eversheds-sutherland.com, October 2019
Cyber risks have become a more significant issue in the retirement space in recent years. With many plans using multiple service providers that share large amounts of data, vulnerabilities are evident, and risks are prevalent. Both plan assets and personally identifiable information (PII) are at risk. While completely eliminating these risks is impossible, managing these risks is achievable and is essential to not only following ERISA prudence standards, but simply in serving the best interests of plan participants as well.
Source: Planpilot.com, September 2019
Fiduciaries owe a duty of loyalty to plan participants and must discharge their duties solely in the interest of plan participants and beneficiaries. Ignoring online threats could potentially violate this duty. This article reviews some proactive steps plan fiduciaries can take to protect participant data and account balances.
Source: Shrm.org, August 2019
Many retirement plan fiduciaries do a lackluster job monitoring the cybersecurity performance of the vendors they work with on a daily basis. A digital security expert says, "the behavioral and human element of data protection is always the most challenging part."
Source: Plansponsor.com, July 2019
The threat of a cyberattack is prevalent throughout the business world. Given the highly sensitive data held within employee benefit plans, it should come as no surprise that they have become a major target for hackers. Protecting participants’ personally identifiable information is a responsibility no longer limited to IT departments. Plan sponsors, fiduciaries and service providers of all employee benefit plans have an obligation to establish strong information systems practices to help prevent these attacks.
Source: Schneiderdowns.com, June 2019
Cybersecurity has become a prevalent concern in the retirement industry. Surprisingly, many plan breaches are not all due to third-party attackers; rather, it can stem from the misconduct by employees. Therefore, it is in the best interest of plan sponsors to provide guidelines to their participants so these vulnerabilities can be prevented.
Source: Planpilot.com, June 2019
Among a plan sponsor's responsibilities, encouraging and enforcing cybersecurity are not the first tasks that come to mind. But, as modern technology takes over the common workplace, the concept of cybersecurity for retirement plans has started to see attention. Plan sponsors should evaluate providers' cybersecurity practices, but there are also steps they and plan participants can take to safeguard retirement accounts.
Source: Planadviser.com, May 2019
The $5 trillion in retirement plans have become a "tempting target" for hackers to access sensitive information held by plan providers in the industry, so two legislators asked the Government Accountability Office to examine data protections, processes and procedures within the private retirement system.
Source: Workforce.com, May 2019
To a cyber criminal, the retirement plan industry looks like a big candy store with over five trillion dollars in liquid assets. It's up to plan sponsors to not only recognize the risk of cyber crime, but also proactively defend their retirement plans and participants. This article and podcast discusses what plan sponsors and participants can do to protect this important benefit.
Source: Francisinvco.com, May 2019
Cybersecurity risk management is no longer an issue plan sponsors can ignore. Auto-portability may be an answer to one of the 401k plan sponsors' cybersecurity risk management concerns. Yes, cybersecurity risk management solutions may be available via the 401k auto features that knowledgeable retirement plan advisors have been touting for the past 5 years. Surprisingly, the technology that makes 401k auto-portability possible may also enhance existing industry best practices that protect plan participants' personal data.
Source: 401ktv.com, May 2019
Defined contribution plans and their participants are not immune to the threat of cybersecurity breaches. Each data transmission to your recordkeeper or payroll provider, for example, creates risk. Plan sponsors and Retirement Plan Committees should be asking each other, "are we doing all we can to strengthen our retirement plan against cybersecurity breaches by keeping cybercriminals from hacking our participants' accounts?"
Source: 401ktv.com, May 2019
Reading the words "cyber security breach" and "cyber fraud" on the news, email, or in general can alone cause panic. But what constitutes a security breach, and how a recordkeeper should inform a plan sponsor about cyber-related events continue to be unclear throughout the industry. The SPARK Institute's Data Security Oversight Board worked with definitional examples from national cyber standards, international regulations, state privacy laws, and client contracts and gathered insights from the plan consultant representatives on the board.
Source: Planadviser.com, May 2019
Plan sponsors and service providers already take seriously their responsibilities to protect participant data, but where are the lines of responsibilities and accountability in the event of a breach?
Source: Napa-net.org, May 2019
The extent to which individuals should have control over their personal information and the data they generate in the on-line world has seized center stage in our national conversation. A new proposed settlement in Cassell v. Vanderbilt Univ. highlights the importance of these issues in the retirement plan marketplace.
Source: Groom.com, April 2019
There is no definitive answer to the question of whether the sponsor of a benefit plan is subject to the fiduciary standards of ERISA with respect to implementing cybersecurity measures to protect participants' financial data. Acknowledging a complete lack of guidance, a Senate committee sent a letter to the U.S. Government Accountability Office requesting guidance from the GAO on issues related to cybersecurity and the private retirement system.
Source: Truckerhuss.com, April 2019
With everything from pizza deliveries to multi-million dollar deals being handled online, it should come as no surprise that hackers might target you 401k plan. However, security breaches don't stop with an unknown party simply accessing your participants' personally identifiable information. Hacks also can lead to unauthorized withdrawals of funds from 401k plans. This article provides some best practices for avoid this type of costly breach.
Source: Hallbenefitslaw.com, March 2019
A recent FTC Cybersecurity proposal is significant to the retirement plan community for several reasons. First, the Proposal, if finalized, could raise the baseline for plan fiduciaries when developing prudent cybersecurity programs. Second, the Proposal builds on the increased interest in cybersecurity by regulators, Congress, and the states. Expect that other GLBA regulators, such as the banking regulators or the SEC may consider incorporating elements of the Proposal into their own regulations or guidelines.
Source: Groom.com, March 2019
Employee benefit plans typically gather, use, and maintain confidential data about plan participants. Employers, plan sponsors, and fiduciaries must use cybersecurity best practices to protect this information. This article exploreS some cybersecurity techniques applicable to employee benefit plans.
Source: Hallbenefitslaw.com, March 2019
Aon released its 2019 Cyber Security Risk Report, which details the greatest cyber security threats and challenges organizations are currently facing. Among other risk areas shared are expansion of data into mobile devices and sharing of data with third-party vendors and service providers.
Source: Plansponsor.com, February 2019
A letter to Gene Dodaro, Comptroller General of the U.S. Government Accountability Office (GAO), identifies 10 questions federal lawmakers would like the GAO to answer, following its examination.
Source: Plansponsor.com, February 2019
The day starts as any other. A distribution form comes in for processing. It has a participant signature. The spousal consent section is completed and notarized. The Plan Administrator has signed the form. No problem. So, you process the $450,000 in-service distribution and give it no further thought. Three days later, the real participant calls in a panic wondering where his money went. Yikes. As a third party administrator (TPA), what can you do to help thwart this brazen, growing band of thieves? Do you have an obligation to do anything? What if your firm is acting as an ERISA 3(16) delegated fiduciary? Lot of questions, but we have no concrete guidance from any federal agency.
Source: Ferenczylaw.com, February 2019
The retirement industry has no unified cybersecurity approach to protect sensitive data and an amalgam of federal and state regulations don't offer any clear approach for security within the retirement space, industry sources said.
Source: Pionline.com, February 2019
To a cybercriminal, the 401k industry looks like a big candy store with over $5 trillion in liquid assets and largely automated systems. Armed with your name, social security number, date of birth, address and any personal information available on social media, your 401k account is vulnerable. Not surprisingly, since these large-scale data breaches have occurred, industry insiders report a sharp increase in the number of attempts to steal 401k assets. Here are some steps you should take now to protect your 401k assets.
Source: Francisinvco.com, January 2019
The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.
Source: Pensionresearchcouncil.wharton.upenn.edu, December 2018
Retirement plans are a relatively new frontier for cyber fraud, but many in the industry say that such heists are becoming more common. Retirement plans have yet to be the target of the kind of system-wide hacks that make headlines, such as the Equifax breach last year. Still, hackers are getting ever-more sophisticated in their approaches.
Source: Barrons.com, December 2018
Cybersecurity risks, such as phishing techniques, malware and ransomware attacks, facing employee benefit plans are no different than those facing corporations, and in fact, may be even more significant. As a plan sponsor and those charged with governance, you have a responsibility with respect to management and oversight of the plan, including understanding risks to the plan, even risks of cyberattacks.
Source: Schneiderdowns.com, November 2018
Tim Rouse of SPARK, Allison Itami of Groom Law Group, and Ben Taylor of Callan Consulting discuss "Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective" at the 2018 PRC Symposium.
Source: Youtube.com, September 2018
The best way to secure plan participants' information and assets is to establish an effective cybersecurity strategy. Organizational policies and training will ensure cybersecurity understanding and consistent practices across the board. The most effective cybersecurity strategy includes both a prevention plan as well as a response plan of action against a breach.
Source: Planpilot.com, September 2018
Cybersecurity fraud was once a problem reserved for the largest government agencies, credit card companies and banks. However, as these organizations have hardened their security capabilities, fraudsters have shifted their focus to the next tier of banks, as well as financial firms that play in the brokerage, retirement and insurance spaces. Many of these firms are now scrambling to learn from the big banks and quickly implement similar or next generation cybersecurity methods and capabilities.
Source: Newportgroup.com, September 2018
This article outlines reasons employers should consider obtaining cyber insurance, protections that a plan should include, possible drawbacks, and best practices for finding the plan with the appropriate coverage.
Source: Spencerfane.com, August 2018
While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly. More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.
Source: Forbes.com, July 2018
One of the most difficult challenges for plan sponsors is determining where to start in their efforts to defend against increasingly sophisticated cyber attacks. This article is designed to assist plan sponsors with formulating and executing their strategy to protect their information and their assets.
Source: Callan.com, July 2018
This article discusses whether retirement plans are really at risk and, if so, why. It concludes with some helpful hints and practical advice to reduce cybersecurity risks, some of which are tips employers can share with retirement plan participants.
Source: Passwordprotectedlaw.com, July 2018
Employee benefit plans rely on a variety of service providers to administer benefits. Those providers maintain a plethora of participant data and protect plan assets for the benefit of participants. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies -- and their exclusions -- is important for sponsors who are exploring such coverage.
Source: Spencerfane.com, June 2018
The advent of electronic banking, plan administration, and account information access make it possible for cyber criminals to plunder assets, absent protections. Experts at the recent 2018 SPARK Institute National Conference held in National Harbor, MD addressed online threats to financial assets -- virtual, but also very real.
Source: Asppa.org, June 2018
Benefit plans are uniquely susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties. This 5-minute podcast discusses cybersecurity issues impacting employee benefit plans. It reviews the developing legal framework in cybersecurity and outline practical tips that plan sponsors and recordkeepers may use to secure plan data.
Source: Erisapracticecenter.com, June 2018
This 8-page document was prepared by the EBPAQC to help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.
Source: Aicpa.org, May 2018
The U.S. retirement model has become of increasing interest to foreign hackers, typically the perpetrators of large-scale data breaches. However, companies, plan sponsors and plan participants are unaware or underprepared for the ramifications of a cyberattack, experts warn.
Source: Benefitnews.com, April 2018
Retirement plans are notorious targets for these attacks because they involve a high volume of sensitive information that is invaluable to criminals with malicious intent. Plan participant and financial information is generally shared with many different parties, making it more vulnerable to such threats. This article discusses current risks as well as some useful tips for protecting plan participants' information.
Source: Planpilot.com, March 2018
Data security is a major concern for all organizations. There are many elements involved in protecting your own employees’ and your clients’ personally identifiable information. Conducting a self-assessment and developing your organization’s internal policies are a good starting point. But it is important to recognize that the job of data protection will never be complete; there will always be new items to add to your security to-do list.
Source: Cammackretirement.com, February 2018
There is no explicit cybersecurity duty that applies to consultants under ERISA. Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fulfilling their fiduciary duties.
Source: 401ktv.com, February 2018
Cybersecurity is a topic that is routinely grabbing headlines across industries, and employee benefit plans are not immune to the risks of cybercrime. The best efforts to reduce these risks are multi-faceted approaches to protecting sensitive information, with employers, their plan participants, and their benefit providers all working in tandem to safeguard personal data.
Source: Sentinelgroup.com, February 2018
Despite constant advances in available cybersecurity measures, there is no such thing as perfect security, and companies must be prepared to respond to a significant cybersecurity incident at a moment's notice. This article describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.
Source: Cov.com, February 2018
Only 27% of RIAs surveyed by TD Ameritrade suggest that cybersecurity issues, even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.
Source: Planadviser.com, January 2018
Failure to deal with cybersecurity issues could be a fiduciary breach under these rules and fiduciaries could have personal liability for the resulting losses, for example, if hackers are able to steal plan assets or fraudulently obtain distributions online by pretending to be participants. Participants whose personal accounts are hacked might also have claims against fiduciaries who failed to protect their data.
Source: 401ktv.com, January 2018
The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401k accounts and pension funds, whose breach could upend global markets.
Source: Bloomberg.com, January 2018
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.