401khelpcenter.com Logo

COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities

This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.

This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.

If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.

To subscribe to our free weekly newsletter, enter your email address below then click the "Join" button.

Email Address:



Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective

Abstract: The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.

Source: Pensionresearchcouncil.wharton.upenn.edu, December 2018

Your 401k Might Be a Target for Hackers

Abstract: Retirement plans are a relatively new frontier for cyber fraud, but many in the industry say that such heists are becoming more common. Retirement plans have yet to be the target of the kind of system-wide hacks that make headlines, such as the Equifax breach last year. Still, hackers are getting ever-more sophisticated in their approaches.

Source: Barrons.com, December 2018

Mitigating the Risk of Cyber Attacks to Your Employee Benefit Plan

Abstract: Cybersecurity risks, such as phishing techniques, malware and ransomware attacks, facing employee benefit plans are no different than those facing corporations, and in fact, may be even more significant. As a plan sponsor and those charged with governance, you have a responsibility with respect to management and oversight of the plan, including understanding risks to the plan, even risks of cyberattacks.

Source: Schneiderdowns.com, November 2018

Video: Benefit Plan Cybersecurity Considerations

Abstract: Tim Rouse of SPARK, Allison Itami of Groom Law Group, and Ben Taylor of Callan Consulting discuss "Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective" at the 2018 PRC Symposium.

Source: Youtube.com, September 2018

Cybersecurity: Are Your Plan Participants Protected

Abstract: The best way to secure plan participants' information and assets is to establish an effective cybersecurity strategy. Organizational policies and training will ensure cybersecurity understanding and consistent practices across the board. The most effective cybersecurity strategy includes both a prevention plan as well as a response plan of action against a breach.

Source: Planpilot.com, September 2018

Cybersecurity: The Industry's Next Frontier

Abstract: Cybersecurity fraud was once a problem reserved for the largest government agencies, credit card companies and banks. However, as these organizations have hardened their security capabilities, fraudsters have shifted their focus to the next tier of banks, as well as financial firms that play in the brokerage, retirement and insurance spaces. Many of these firms are now scrambling to learn from the big banks and quickly implement similar or next generation cybersecurity methods and capabilities.

Source: Newportgroup.com, September 2018

Protecting Employee Benefit Plans With Cyber Insurance

Abstract: This article outlines reasons employers should consider obtaining cyber insurance, protections that a plan should include, possible drawbacks, and best practices for finding the plan with the appropriate coverage.

Source: Spencerfane.com, August 2018

Can Your 401k Be Hacked?

Abstract: While hacking is nothing new, the pace of large-scale cyberattacks has accelerated significantly. More worrisome for many plan sponsors, the focus of cyberattacks in the defined contribution world has shifted from hardened targets like recordkeepers and custodians to plan sponsors, which often lack the extensive cybersecurity defenses of their vendors.

Source: Forbes.com, July 2018

Your Plan Will Face a Cyber Attack. Here's How to Prepare

Abstract: One of the most difficult challenges for plan sponsors is determining where to start in their efforts to defend against increasingly sophisticated cyber attacks. This article is designed to assist plan sponsors with formulating and executing their strategy to protect their information and their assets.

Source: Callan.com, July 2018

Cybersecurity and Retirement Plans

Abstract: This article discusses whether retirement plans are really at risk and, if so, why. It concludes with some helpful hints and practical advice to reduce cybersecurity risks, some of which are tips employers can share with retirement plan participants.

Source: Passwordprotectedlaw.com, July 2018

Cyber Liability Insurance for Employee Benefit Plans: Hackers, Malware, and Phishing

Abstract: Employee benefit plans rely on a variety of service providers to administer benefits. Those providers maintain a plethora of participant data and protect plan assets for the benefit of participants. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies -- and their exclusions -- is important for sponsors who are exploring such coverage.

Source: Spencerfane.com, June 2018

Cyber Fraud: Real Ideas to Address Virtual Crime

Abstract: The advent of electronic banking, plan administration, and account information access make it possible for cyber criminals to plunder assets, absent protections. Experts at the recent 2018 SPARK Institute National Conference held in National Harbor, MD addressed online threats to financial assets -- virtual, but also very real.

Source: Asppa.org, June 2018

Cybersecurity and Employee Benefit Plans

Abstract: Benefit plans are uniquely susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties. This 5-minute podcast discusses cybersecurity issues impacting employee benefit plans. It reviews the developing legal framework in cybersecurity and outline practical tips that plan sponsors and recordkeepers may use to secure plan data.

Source: Erisapracticecenter.com, June 2018

Cybersecurity and Employee Benefit Plans: Questions and Answers

Abstract: This 8-page document was prepared by the EBPAQC to help plan auditors understand cybersecurity risk in employee benefit plans, and to discuss cybersecurity risk, responsibilities, preparedness, and response with plan clients.

Source: Aicpa.org, May 2018

Employers Unprepared for 401k Plan Data Breaches

Abstract: The U.S. retirement model has become of increasing interest to foreign hackers, typically the perpetrators of large-scale data breaches. However, companies, plan sponsors and plan participants are unaware or underprepared for the ramifications of a cyberattack, experts warn.

Source: Benefitnews.com, April 2018

Defend Your Retirement Plan From Cyberattacks

Abstract: Retirement plans are notorious targets for these attacks because they involve a high volume of sensitive information that is invaluable to criminals with malicious intent. Plan participant and financial information is generally shared with many different parties, making it more vulnerable to such threats. This article discusses current risks as well as some useful tips for protecting plan participants' information.

Source: Planpilot.com, March 2018

Securing Your Organization's Data

Abstract: Data security is a major concern for all organizations. There are many elements involved in protecting your own employees’ and your clients’ personally identifiable information. Conducting a self-assessment and developing your organization’s internal policies are a good starting point. But it is important to recognize that the job of data protection will never be complete; there will always be new items to add to your security to-do list.

Source: Cammackretirement.com, February 2018

Cybersecurity and ERISA Retirement Plans: The Financial Consultant's Role

Abstract: There is no explicit cybersecurity duty that applies to consultants under ERISA. Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fulfilling their fiduciary duties.

Source: 401ktv.com, February 2018

Retirement Plans and Cybersecurity

Abstract: Cybersecurity is a topic that is routinely grabbing headlines across industries, and employee benefit plans are not immune to the risks of cybercrime. The best efforts to reduce these risks are multi-faceted approaches to protecting sensitive information, with employers, their plan participants, and their benefit providers all working in tandem to safeguard personal data.

Source: Sentinelgroup.com, February 2018

Preparation and Practice: Keys to Responding to a Cybersecurity Incident

Abstract: Despite constant advances in available cybersecurity measures, there is no such thing as perfect security, and companies must be prepared to respond to a significant cybersecurity incident at a moment's notice. This article describes some key steps companies can take to respond to a cybersecurity incident in a swift, efficient, and effective manner.

Source: Cov.com, February 2018

Advisers Are Apparently Ignoring Cybersecurity Threats

Abstract: Only 27% of RIAs surveyed by TD Ameritrade suggest that cybersecurity issues, even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.

Source: Planadviser.com, January 2018

401k Plan Data, Can It Be Hacked?

Abstract: Failure to deal with cybersecurity issues could be a fiduciary breach under these rules and fiduciaries could have personal liability for the resulting losses, for example, if hackers are able to steal plan assets or fraudulently obtain distributions online by pretending to be participants. Participants whose personal accounts are hacked might also have claims against fiduciaries who failed to protect their data.

Source: 401ktv.com, January 2018

How Wall Street Hopes to Thwart 401k Hackers

Abstract: The industry-led project, called Sheltered Harbor, already is known to back up data for savings and checking accounts. But quietly, it's wrapping in data on retail brokerage accounts at some of the nation's largest firms, according to participants. And ultimately, the goal is to expand it to an even heftier pool of 401k accounts and pension funds, whose breach could upend global markets.

Source: Bloomberg.com, January 2018

Evolving Cybersecurity Landscape Pressures Plan Sponsors

Abstract: Being fiduciaries under ERISA, retirement plan officials are tasked with monitoring and managing cybersecurity risk as they invest participant dollars. As outlined in a new report from Corporate Insight, "Trends in Online Security: 1996 to Today," this is no simple task, and it has grown markedly more complex in the last two decades as the role of big data technology has ramped up in the retirement industry.

Source: Plansponsor.com, December 2017

Thwarting Cyber Attacks on Retirement Plans

Abstract: A stolen identity, a few clicks, and there it is, a handsome retirement plan balance, ripe for the picking. If only someone had done something to prevent it all. A recent blog entry offers some ideas on how to do that, as does the IRS.

Source: Ntsa-net.org, December 2017

Protecting Retirement Plans From Identity Theft

Abstract: Identity theft and related crimes are on the rise, and they can have a devastating impact on employer-sponsored 401k plans. Plans can have very large balances compared to other cyber targets such as bank accounts, and therefore, have become quite attractive to cyber criminals. Cybercrime related to retirement plans can occur because of threats such as phishing, ransomware, "social engineering," and wire transfer fraud, among others.

Source: Icemiller.com, November 2017

Cybersecurity as It Relates to Retirement Plan Data

Abstract: As cybersecurity threats increase, so should plan fiduciary efforts to combat these threats. Fiduciaries can work with service providers to strengthen existing protections and can work internally to create and document procedures that demonstrate prudent process.

Source: Groom.com, November 2017

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know-and Do

Abstract: The loss of employee personal information due to a cyber breach is an ever-increasing concern to all employers. No organization or industry is immune from cyber threats, including benefit plan sponsors and plan service providers. This article analyzes cybersecurity issues for retirement plans.

Source: Poynerspruill.com, October 2017

Five Cybersecurity Best Practices

Abstract: Regulators want to ensure advisors safeguard client and business information online. Implement these best practices to reduce the risk of your data being compromised.

Source: Morningstar.com, September 2017

Retirement Plans at Risk for Identity Theft

Abstract: While many cyber threats have special names, your retirement plan's data may be most at risk from common things an employees do every day that put themselves at risk for identity theft. It is those common things, discarding paperwork with personal information, postings on various websites and other information that can be available in the public domain that identity thieves may use to gain access to an individual employee's retirement plan account. Retirement plan accounts have been stolen by identity theft in several incidents.

Source: Winstead.com, September 2017

401k Cybercrime: Key to Keeping a Plan Safe Is Not Delegating Fiduciary Responsibilities

Abstract: Some employers delegate the two fiduciary roles that approve cash disbursements (from their 401k plan) to their provider. In the author's view, this outsourcing of fiduciary authority makes a 401k plan more vulnerable to cybertheft.

Source: Employeefiduciary.com, September 2017

Cybersecurity Must Be C-Suite Concern at RIAs, Brokers and Managers

Abstract: Cybersecurity attorney and former SEC staffer Marlon Paz suggests it is absolutely essential for advisory firms to have a senior executive "not just appointed but also empowered" as the chief information security risk officer.

Source: Planadviser.com, September 2017

Cybersecurity More Than an Individual Concern

Abstract: Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients' and plan participants' sensitive information, it pervades inter-corporate business functions as well.

Source: Ntsa-net.org, September 2017

Cybersecurity and Online Privacy Issues for Employee Benefit Plans

Abstract: When most plan participants think about security involving their retirement plan, they are typically thinking along the lines of financial security and how their investments perform. However, like other financial institutions, retirement accounts are subject to cyber threats that could threaten users' privacy and other account information.

Source: Bsllp.com, August 2017

How to Guard Benefits Plans From Cyberattacks

Abstract: Cyberattacks -- including incidents of ransomware -- are making headlines almost daily. Because employee health and retirement plans are often top targets, HR professionals should take precautions to defend against these assaults, especially since breaches can also result in penalties and fines.

Source: Shrm.org, August 2017

Three Tips for Better 401k Plan Cybersecurity

Abstract: With trillions of dollars in assets to safeguard, the retirement services industry is now intensely focused on the issue of cybersecurity. This article provides three tips retirement plan participants use to protect their retirement savings.

Source: 401kspecialistmag.com, July 2017

Is Cybersecurity a Fiduciary Duty?

Abstract: Fiduciary duties and functions have been discussed over the last few years. But a recent blog entry suggests that cybersecurity should be added to them.

Source: Asppa.org, July 2017

Cybersecurity: Are Public Defined Contribution Plans at Risk?

Abstract: Given the continuing need for plans to adopt ever-greater levels of technology for administrative efficiency, the risk of inadvertent disclosure of personal information is escalating. Regardless of the investment made in protecting systems and data transmissions, plans remain vulnerable to human error and malicious or criminal actions.

Source: Nagdca.org, June 2017

Fiduciary Obligations to Safeguard Plan Participants' Data

Abstract: There have been numerous instances of high-profile cybercrime cases over the past couple of years spurring lively discussions in the ERISA community about the potential threat this type of crime poses to plan assets and personal data of plan participants and beneficiaries.

Source: Truckerhuss.com, June 2017

Plan Sponsors Growing Fiduciary Responsibilities for Cybersecurity

Abstract: This is the slide deck from a presentation on plan sponsors growing fiduciary responsibilities for cybersecurity given at the SPARK Institute's National Conference, June 1-2, 2017.

Source: Winstead.com, June 2017

SEC Issues Ransomware Risk Alert Highlighting Cybersecurity Best Practices

Abstract: The SEC published a Risk Alert regarding the "WannaCry" ransomware worm that infected hundreds of thousands of computers in over 150 nations earlier this month. The Alert provides background and resources and additionally highlighted cybersecurity best practices.

Source: Sutherland.com, May 2017

Data Breach Risks for 401k and Retirement Plans

Abstract: There has been a recent spike in attacks on 401k and retirement plans by cyber criminals. A data breach is a disruptive event. For plan fiduciaries, there are several factors that create heightened risk.

Source: Jonesday.com, April 2017

What Retirement Plan Sponsors and Employers Need to Know About Cybersecurity Risk and Liabilities

Abstract: Many employers historically were only concerned with privacy and security for health plans under the Health Insurance Portability and Accountability Act and state laws. However, cybersecurity should also be a consideration for every retirement plan fiduciary. To preserve fiduciary protection while making required disclosures electronically, retirement plan fiduciaries should consider whether their duties of loyalty, prudence and to administer the plan for the exclusive benefit of the participants might require them to protect their participants' personal information.

Source: Winstead.com, April 2017

Cybersecurity More Than an Individual Concern

Abstract: Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients' and plan participants' sensitive information, it pervades inter-corporate business functions as well.

Source: Asppa.org, March 2017

Addressing Retirement Plan Cybersecurity

Abstract: It's not really new that cybersecurity is a concern for employers. But it shouldn't be ignored, especially in the context of retirement plans, since plan participants' personal and financial information is maintained and shared by multiple parties.

Source: Asppa.org, March 2017

Cybersecurity Risks and Liabilities for Employers, Retirement Plan Sponsors and Fiduciaries

Abstract: Many employers historically were only concerned with privacy and security for health plans under the privacy regulations. However, there are other references to protecting participant information in ERISA and employee information that should not be overlooked. Cybersecurity should be a consideration for every employer and retirement plan fiduciary.

Source: Winstead.com, February 2017

Cybersecurity Considerations for Employee Benefit Plans

Abstract: One of the most significant challenges that face employee benefit plans is the reliance on service providers to manage daily activities of the plan. As a result, employee benefit plans typically share sensitive employee data and beneficiary and employer information with these service providers. Based upon historical cybersecurity breaches, third parties can be considered the weakest cybersecurity link.

Source: Schneiderdowns.com, February 2017

ERISA Advisory Council Makes Recommendations on Cybersecurity

Abstract: The ERISA Advisory Council on Nov. 10 issued recommendations on actions the DOL can take regarding cybersecurity and making workplace retirement accounts more secure.

Source: Asppa.org, November 2016

DC Plans Ask About Cybersecurity Insurance, but Not for Them

Abstract: Defined contribution service providers generally have cybersecurity insurance when they take on recordkeeping and other duties, but DC plan sponsors themselves are more likely to be lacking such coverage. There is no legal requirement for plan sponsors or service providers to have cyber insurance, but it's best practice.

Source: Pionline.com, October 2016

DC Plans Face Threats to Crucial Data

Abstract: Cybersecurity issues are not really unique in defined contribution. Hackers are getting smarter and are getting better at decrypting. DC plans need to get smarter overall in protecting online sites like banking and DC portals. But there are specific issues to defined contribution plans when it comes to cybersecurity.

Source: Pionline.com, October 2016

401k Service Providers and Cybersecurity: Questions to Ask

Abstract: 401k plan fiduciaries have an obligation to secure and keep private the personally identifiable information of plan participants and beneficiaries. Part of this essential task is ensuring that plan service providers take cybersecurity preparedness and plan data protection seriously.

Source: 401khelpcenter.com, October 2016

Podcast: Cybersecurity and 401k Plans: Real or Theoretical Risk?

Abstract: This podcast discusses the evolving world of cyber risk or cyber threats and how they can impact 401k and other employer benefits plans.

Source: 401kfridays.com, October 2016

ERISA Cybersecurity Threats and the Role of Human Resources

Abstract: With the increasing threat to organizations from data breaches, HR plays a critical role in helping prevent and minimize the risk from cyber theft. This 21-minute podcast addresses how to identify potential cybersecurity problems, workforce challenges in data protection, and the use of policies, training and employee education that are designed to protect private and sensitive data.

Source: Littler.com, September 2016

Cybersecurity and the Role of ERISA Fiduciaries

Abstract: Recent technological advancements, especially in the area of cybersecurity, have only now become the focus of most ERISA fiduciaries. Due to the increasing frequency and sophistication of cyber-related threats to employee benefit plans, their trustees and third-party plan administrators and the potential financial repercussions, compliance with ERISA fiduciary standards will require implementation of a prudent cyber risk management strategy. This article is dedicated to understanding cybersecurity issues in the context of ERISA benefit programs.

Source: Pillsburylaw.com, September 2016

ERISA Advisory Council Highlights Importance of Cybersecurity Oversight

Abstract: The 2016 ERISA Advisory Council is gathering to study ways to encourage benefit plan sponsors and managers to adopt strategies that minimize the exposure of plan participants' data from cyber-attack. This article touches on what the Council is considering

Source: Gtlaw.com, August 2016

SEC Continues to Focus on Cybersecurity for Investment Advisers

Abstract: As in 2015, the Securities and Exchange Commission Examination Priorities for 2016 identify cybersecurity as an area of "potentially heightened [market-wide] risk."

Source: Ria-compliance-consultants.com, August 2016

Plan Advisers Take More Interest in Recordkeepers' Cybersecurity Practices

Abstract: In an era when costly cyberattacks and data breaches are becoming more common, 401k plan advisers are beginning to scrutinize data-security practices at recordkeeping firms. RK clients also have heightened concerns about securing the personal data of their employees.

Source: Investmentnews.com (registration may be required), July 2016

ERISA and Cybersecurity

Abstract: Data breaches are also causing benefit plan administrators and other fiduciaries under ERISA to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401k and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.

Source: Passwordprotectedlaw.com, June 2016

Fiduciary Risk in Data Privacy and Cybersecurity

Abstract: Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. Retirement plan fiduciaries must take precautions to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity.

Source: Morganlewis.com, April 2016

Cybersecurity's Impact on TPAs

Abstract: A recent announcement by the ERISA Advisory Council that it will be focusing on how cyber-related threats affect TPAs is addressed in a recent legal advisory from Pillsbury Law.

Source: Asppa.org, April 2016

An Overview of Cybersecurity Issues Affecting Retirement Plans

Abstract: In order to minimize a retirement plan's overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers' cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyber attack.

Source: Pillsburylaw.com, February 2016

401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.

About | Glossary | Privacy Policy | Terms of Use | Contact Us

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.