401khelpcenter.com Logo

COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities

This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.

This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.

If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.

To subscribe to our free weekly newsletter, enter your email address below then click the "Join" button.

Email Address:


Why Retirement Plan Sponsors and Fiduciaries Need to Know about the SEC Cybersecurity Amendments

On May 15, 2024, the SEC adopted amendments to Regulation S-P which governs the treatment of nonpublic personal information about consumers by certain financial institutions, many of which are commonly vendors and service providers to retirement plans. When assessing the cybersecurity of a retirement plan service provider that is a financial institution, plan fiduciaries may want to be aware of these SEC requirements as part of their assessment process.

Source: Workplaceprivacyreport.com, May 2024

Merrill Cyber Leak Exposes Walmart 401k Participants

Over a thousand participants in the Walmart 401k Retirement Plan were exposed to a data breach by recordkeeping provider Merrill Lynch, after an employee accidentally revealed private information that included names and Social Security numbers to an unauthorized user. The data breach impacted 1,883 Walmart employees who were enrolled in the company's 401k Retirement Plan.

Source: 401kspecialistmag.com, May 2024

J.P. Morgan Sued for Data Exposure

A participant in a retirement plan managed by J.P. Morgan Chase & Co. has initiated legal action against the company following recent reports of a data breach where over 451,000 plan participants' details were exposed. According to the lawsuit filed in the U.S. District Court for the Southern District of New York on May 3, former Long Island Railroad employee Benjamin Valentine's personal information -- which he entrusted with J.P. Morgan on the mutual understanding that the firm would protect it against disclosure -- was "targeted, compromised and unlawfully accessed due to the data breach."

Source: Planadviser.com, May 2024

A Cybersecurity Audit Survival Kit: What Plan Sponsors Must Do to Pass

Since issuing its first cybersecurity guidance in 2021, the DOL has laid out what it expects plan sponsors to do. The work requirement to follow all the DOL's cybersecurity guidance is substantial. Many organizations don't have the resources to comply fully, or they don't feel an urgency to put their resources toward it, but it appears that cybersecurity will be part of all DOL retirement plan audits. Six experts spoke with NAPA Net about what they think the DOL will expect from plan sponsors with their cybersecurity policies and procedures.

Source: Napa-net.org, May 2024

How Should a Plan Sponsor Respond to a Data Breach?

The data breach incident that took place at J.P. Morgan Chase in February, impacting more than 451,000 plan participants, serves as an opportunity for plan sponsors to reflect on their cybersecurity practices and consider what action they would take if they found themselves in a similar situation. If you were a plan sponsor, who, for example, uses J.P. Morgan as its recordkeeper, and is notified of a breach in which participant information has been exposed, what should their plan of action be?

Source: Plansponsor.com, May 2024

Retirement Plan Access and Fraud Prevention Considerations

As a significant investment for many Americans, retirement plan assets are an attractive target for cyber hackers globally. Plan participants need to take common-sense measures to safeguard their accounts. Plan sponsors face the dual challenge of providing online access to participants' retirement plans while keeping their information secure. Implementing and maintaining a proactive cybersecurity strategy is key for both parties. Here are a few items to consider.

Source: Spconsultants.com, April 2024

Plaintiffs Request Judge Approve Settlement in ERISA Data Breach Lawsuit

Retirement plan participants whose personal identifiable information was exposed in a 2021 data breach have asked a Georgia federal judge to approve an $8.733 million agreement to resolve allegations, which claimed national consultant Horizon Actuarial Services LLC failed to safeguard their sensitive data.

Source: Plansponsor.com, March 2024

Is Your Plan Cyber-Secure? Fiduciaries and Vendors Face Ongoing Challenges

No steps will ever provide 100% protection against breaches, but in this article, attorney Carol Buckmann discusses the state of the law, court cases in which participants have sued to get stolen benefits restored, and practical steps that can be taken by the company's fiduciaries to better protect participants and lower the risk of loss.

Source: Cohenbuckmann.com, March 2024

401k World: Cyber Thieves

With a quick Google search, anyone can get a sense of the massive amount of money in workplace retirement plans and individual retirement accounts. What may be less known, but not too hard to figure out for hackers, is that retirement plans' unique business model creates multiple potential openings for breaches, according to experts. This article delves into cybersecurity threats to retirement plan assets and the industry's approach to combatting them.

Source: Planadviser.com, March 2024

ERISA Fiduciary Concerns Relating to Cybersecurity: Theft of Plan Assets

Since a cyber breach is not a matter of "if," but a matter of "when," fiduciaries of retirement plans should be addressing this risk. This 4-page article discusses the DOL's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries.

Source: Foxrothschild.com, January 2024

Canadian Plan Sponsors More Vigilant of Cybersecurity Risks When Dealing With Third-Party Vendors: Expert

Data management and transference are key areas of risk for pension plan sponsors as the vulnerability of engaging with third parties creates opportunities for cybercriminals, says Jillian Kennedy, a partner at Mercer. According to an online brief published last year by Ernst & Young, third-party service providers hired by public pension plan sponsors tend to be desirable targets of cybercriminals. Vulnerabilities can be found in plan sponsors' websites and member portals, said the report, noting investment organizations are also at risk due to the handling of investment operations conducted by its staff.

Source: Benefitscanada.com, January 2024

ERISA Fiduciary Concerns Relating to Cybersecurity: Part I -- Theft of Plan Assets

Since a cyber breach is not a matter of if it will occur, but a matter of when, fiduciaries of retirement plans should be addressing this risk. This article discusses the Department of Labor's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries.

Source: Plusblog.org, December 2023

Retirement Plans and Cybersecurity: Insights for Plan Sponsors

With the increased regulatory focus and greater awareness of cyber vulnerabilities within the retirement plan industry, plan sponsors are looking for ways to meet their fiduciary responsibility in mitigating retirement plan cybersecurity risk. This article covers a few of the currently available ways in which sponsors can address the risk.

Source: Berrydunn.com, December 2023

Cybersecurity Triggers a New Paradigm in Vendor Monitoring

Data breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised personally identifiable information or personal health information. A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers.

Source: Rolandcriss.com, October 2023

How to Stay Safe From Evolving Cybersecurity Threats

To minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission's new cybersecurity rules, should adopt prevention measures against threats, and should be prepared to respond if an attack happens, experts say.

Source: Planadviser.com, October 2023

The Future Is Now for ERISA Fiduciary Duties Around Plan Data

ERISA needs to catch up with the information age by identifying plan data as a plan asset, resolving the current ambiguity on that point that has led courts to decide otherwise, and developing the related fiduciary duties, argues Michael Schloss of The Wagner Law Group.

Source: Wagnerlawgroup.com, October 2023

What's at Risk in a Cyberattack on a DC Plan?

Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust, and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers' nest eggs, explains Gregg Levinson, senior director for retirement at WTW.

Source: Plansponsor.com, October 2023

Protect Against a Retirement Plan Cybersecurity Breach or Else: DOL

Earle Allen, Principal with CAPTRUST, asked former EBSA Assistant Secretary Preston Rutledge for an idea of what to expect from a DOL cybersecurity audit and how far plan sponsors and advisors should go in preventative measures. Here is the response.

Source: Napa-net.org, October 2023

MOVEit Cyberattack Ignites Worry About Fiduciary Responsibility

If there's one big takeaway for plan sponsors following the massive MOVEit cyberattack that breached the personal data of millions of participants in public pension and private-sector workplace retirement plans, it's this: They may need to rewrite their vendor contracts and redouble their monitoring of service providers. While no sponsors have yet been sued, it's not far-fetched to think that they could be, according to legal experts.

Source: Pionline.com, August 2023

New York Life Clients Latest Victims of Massive MOVEit Data Breach

Almost 26,000 New York Life customers had their names and Social Security numbers exposed to a data breach, the latest in a massive hack that affected hundreds of companies and millions of Americans. The hack occurred in late May and involved Progress Software, the provider of MOVEit transfer software. MOVEit is used to transfer client data securely.

Source: Napa-net.org, August 2023

Moveit Hack Brings Vendor Assessment to Forefront

Retirement plan providers and advisers should be taking a close look at vendor cybersecurity protocols after a software transfer hack exposed the private data of millions of people, including retirement plan participants, according to industry experts. SPARK Institute members guide how advisers can both prepare for and respond to participant data concerns stemming from the nationwide breach.

Source: Planadviser.com, July 2023

Data Breach Impacts Nearly 172,000 Tennessee Retirees

The Tennessee Consolidated Retirement System notified retirees and beneficiaries that their names, Social Security numbers, dates of birth, and mailing addresses had been compromised.

Source: 401kspecialistmag.com, July 2023

Multiple Cyber Incidents Impact Employee Benefit Plans and Participants

If a retirement plan has a business relationship with any service provider that uses, used, or may have used the MOVEit software application or RCH services, the plan should determine what fields or categories of personal information were shared with the service provider(s), and by extension MOVEit or RCH, to determine the impact on the plan and its participants. Any service agreements with the applicable vendors should also be reviewed concerning data breach notification, information reporting, and follow-up obligations of the service provider(s).

Source: Beneficiallyyours.com, July 2023

DOL Provides Cybersecurity Tips For Plan Sponsors, Participants

If it wasn't already clear to plan sponsors and retirement plan advisers, Employee Benefits and Security Administration head Lisa Gomez reiterated this week the importance of cybersecurity and increased protection for participants in a new post providing eight areas for guidance. In her blog post on the Department of Labor website, Gomez laid out various tips plan sponsors and advisers can convey to participants for keeping their information safe.

Source: Plansponsor.com, July 2023

Are Your Clients Insured Against Cyber Threats?

Experts share tips for how plan sponsors can protect themselves from the increasing threat of cybersecurity attacks and evolving litigation.

Source: Planadviser.com, June 2023

Plan Committees Need Consistent Focus on Cybersecurity

Retirement plans are a target today because that is where so much wealth is held by American savers. Therefore it is crucial for retirement plan committees -- and their advisers -- to engage in cybersecurity discussion and reviews as an ongoing part of their work.

Source: Planadviser.com, June 2023

CalPERS Cybersecurity Breach Affects 769,000 Members

A major cybersecurity breach involves one of the world's largest pension funds. CalPERS announced last week that approximately 769,000 retired members and their families had personal information exposed in a "worldwide data security incident" that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group.

Source: Napa-net.org, June 2023

Participant Data Breach Hits Retirement Clearinghouse

Retirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans, has alerted more than 10,500 individuals that their data, including individual retirement account numbers, may have been compromised. The organization alerted individuals with written notice, dated May 12, that their information may be at risk for fraud, according to public filings in the states where they are located.

Source: Plansponsor.com, May 2023

Plan Sponsors Should 'Definitely' Have Cyber Liability Insurance: Lisa Gomez

At PSCA National just last week, ARA CEO Brian Graff and EBSA Assistant Secretary Lisa M. Gomez discussed a wide range of topics, including the many misunderstandings about cyber liability insurance (which could be a huge fiduciary failure) and the ESG rule.

Source: Napa-net.org, May 2023

401k Participant Drops Data Breach Suit Against Transamerica

A retirement plan participant has dropped a lawsuit filed against Transamerica Retirement Solutions alleging that the retirement plan provider failed to exercise reasonable care in securing and safeguarding personally identifiable information, including names, addresses, Social Security numbers, and retirement fund contribution amounts.

Source: Planadviser.com, March 2023

Who's Liable When a Plan Participant Is a Victim of Identity Theft

Because of the scarcity of case law and regulatory guidance on the issues, any case that analyzes the liability of ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized. A recent opinion in the Southern District of New York has widened the scope of liability for potential ERISA defendants in actions seeking to recover fraudulent distributions from ERISA-covered plans. It has also made new legal determinations that, if followed by other courts, will have an impact on future suits by plan participants seeking to recover lost retirement plan money.

Source: Wagnerlawgroup.com, February 2023

Responding to a Cyberterrorist Attack

It is a growing club that no one wants to join: the club of companies that became victims of cyberterrorism. Whether the release of credit card data from the infamous Target inside job, the gas pipeline shutdown at Colonial Pipeline, or the more recent CNA Financial ransom attack, it is often not a question of "if" a company will be attacked, but "when." Recently, a major software provider to third-party administrators joined this horrible club. The question addressed here is "What should we do about this issue?"

Source: Ntsa-net.org, January 2023

Cybersecurity: Retirement Plan Sponsors Can Protect Themselves

The digital world has opened many doors, including theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. This article reviews how plan sponsors can protect themselves and their participants while meeting fiduciary obligations.

Source: Captrust.com, January 2023

The Colgate Participant Account Cyber Theft Case Survives Dismissal

A New York federal district court ruled on December 19, 2022, that a participant in the Colgate-Palmolive defined contribution plan adequately alleged breach of fiduciary duty claims against the plan recordkeeper and the plan fiduciary committee. It is a curious decision that is worth studying to understand whether plan participants have potentially viable claims against the plan recordkeeper and plan fiduciaries when a participant's account is hacked.

Source: Euclidspecialty.com, December 2022

More Hackers Going After Retirement Savings, Experts Say

Employer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, and cryptocurrency investing is particularly at risk for scams, according to two financial-focused cybersecurity experts.

Source: Planadviser.com, December 2022

SPARK Releases Updated Data Security Best Practices

The SPARK Institute released Monday its Plan Sponsor and Advisor Guide to Cybersecurity, laying out its specific data security "Best Practices and seventeen Control Objectives." Developed by its Data Security Oversight Board, SPARK's best practices and control objectives establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity control objectives.

Source: Planadviser.com, November 2022

SPARK Institute Releases Updated Cybersecurity Standards for Plan Sponsors and Advisors

Recordkeepers and retirement industry consultants are banding together to beef up cybersecurity. A collaborative effort between recordkeepers and consultants leads to updated Data Security Best Practices and a new Plan Sponsor and Advisor Guide to Cybersecurity to strengthen the retirement industry's defenses against cyber criminals.

Source: 401kspecialistmag.com, November 2022

Cybersecurity: Insights and Action Steps

Cybercriminals are creative and resourceful and they're not just after bank accounts. Industry experts in a recent webinar cautioned that retirement plans are in their sights as well. This article outlines some concrete steps that can be taken to address and protect retirement plans against cybercrime.

Source: Ntsa-net.org, October 2022

Cybersecurity Breach Suits Raise Questions About Liability for Benefits Plans

Cybersecurity breaches concerning workers' personal information and retirement savings have increased liability risks for benefit plans and third-party administrators under federal benefits laws. In February 2021, the GAO issued a report warning about these increased legal risks for ERISA plan fiduciaries due to cyber breaches. The GAO also warned that outsourcing various functions involving retirement plans to third-party administrators could increase the potential for unauthorized access to participants' information. In recent years, the GAO's warnings have become a reality.

Source: Hallbenefitslaw.com, October 2022

Is It Time for ERISA to Be Amended to Cover Cyber Crimes?

It is no surprise that cyberattacks are a grave concern for sponsors of retirement plans. Under ERISA fiduciaries and persons handling funds must be bonded to protect against fraud and dishonesty. This article discusses this required ERISA bond and the interplay of other types of insurance coverage and concludes with a recommendation that Congress amend ERISA to require insurance to address cyber crimes.

Source: Foxrothschild.com, October 2022

Common Myths of Cyber Insurance for Employee Benefit Plans

Cyber insurance is a critical component of the cyber security risk management program necessary to protect employee benefit plans and participant retirement assets. But the current way plan fiduciaries seek cyber and crime coverage needs to change and this article explains why.

Source: Euclidspecialty.com, October 2022

In Cybersecurity Enforcement Action, Seventh Circuit Rejects Service Provider's Challenges to DOL Subpoena

In an enforcement action involving an administrative subpoena seeking documents from a service provider for employer-sponsored health and retirement plans, the Seventh Circuit held that the DOL's investigatory authority under ERISA is not limited to ERISA plan fiduciaries. The Seventh Circuit also concluded that the subpoena was not too indefinite or unduly burdensome.

Source: Westlaw.com, October 2022

401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.

About | Glossary | Privacy Policy | Terms of Use | Contact Us

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.