Legal experts break down why 401(k) plans are so vulnerable to cyber security breaches, explain the potential for related lawsuits and offer practical actions to mitigate risk.
Expert Guidance from Proskeur and Microsoft
The broad news on big hacks, data theft, cyber attacks and breaches may stop us in our tracks—but it is often hard to know how to apply and act on it related to our own responsibilities. Recently, a law partner at Proskauer and a senior attorney from Microsoft Corporation conducted a podcast, explaining the particular challenges facing retirement plans and their fiduciaries. Some of their key points and practical suggestions are highlighted here for busy plan sponsors.
Juicy Data Attracts Cybercriminals
While data is generally valuable, retirement plan data is particularly so—and therefore it is especially vulnerable to cyber security breaches:
From a cyber-criminals perspective employee data is juicy; it’s not just that there’s a lot of it — and there is — but it’s incredibly sensitive in nature: social security numbers, birth dates, bank accounts, medical information, beneficiary information and the like. Not only that, participants aren’t just employees; they’re former employees, so that’s an extra bonus for the cyber-criminal. In recent years we’ve heard a lot about data rich healthcare entities being a prime target of hackers resulting in mega breaches of employee data….Employee benefit plans are very close cousins in terms of the kind of data that they hold. What’s more, benefit plans don’t just hold the data. They share it with a number of different kinds of service providers. They give people electronic access to it and that creates multiple points of entry and vulnerabilities.
Take a Look: Cyber Crime In Action
Once criminals access a participant account they can:
Actually drain the funds from that account, usually in multiple transactions— the money going overseas and it’s probably never going to come back again.
It could be accomplished by accessing participants email password, for example, then the person goes on to the 401(k) platform and clicks forgot password using a participant email and is able to go in and essentially pretend to be that participant and reset the password and do whatever they want with that participants account. Or it could be that the participant…actually made a legitimate 401(k) withdrawal and a cyber-criminal was able to essentially stop that and hack into the expense account ….
Legal experts are finding:
When there are losses in benefit plans you can pretty much bet that somebody’s going to sue somebody.
We’re seeing breach of fiduciary duty claims under ERISA essentially arguing that the employer, the record keeper, the plan, the fiduciaries —all had a fiduciary duty to essentially act prudently….And plaintiffs alleging that they effectively breached that duty by failing to implement… sufficient controls to prevent these types of cyber criminals to be able to go in and access their 401(k) accounts. Whether it’s the record keeper didn’t have two–factor authentication…or voiceprint type technology that they…arguably should have had in place to allow the participants to take steps to protect themselves or failing to notice any sort of abnormal withdrawal requests that may be coming in on a participant’s account and verifying with a participant that they did indeed make those withdrawal requests.
As a plan sponsor, understand: the ERISA bond required for the retirement plan protects the participants of the plan, but does not cover you—the plan sponsor— as a fiduciary.
Let Colonial Surety Company help you with an affordable ERISA bond package that provides plan sponsors up to $1,000,000 of fiduciary liability insurance. Our 2 or 3-year ERISA bond packages provide the greatest overall savings and protection. With a package, you can add both fiduciary liability and cyber liability insurance. Colonial even includes extended coverage to ensure your ERISA bond remains US Department of Labor compliant.
Implement Best Practices
Experts stress the importance of raising plan participant awareness about their role in protecting their accounts. Weak passwords, phishing scams, and the use of unsecured networks (e.g., logging in from Starbucks) all create risks.
Consistently and repeatedly communicate with plan participants about safety measures they need to take, such as: using strong passwords, keeping them confidential; and, implementing multi-factor authentication. (Make sure your plan recordkeeping provider makes multi-factor authentication available.)
As fiduciaries, plan sponsors are reminded about due diligence and monitoring. For example, fiduciary committee meeting agendas and minutes should reflect how you are monitoring the service providers. Check too that contracts have specific language about what happens if there is a security incident.
Don’t forget, Colonial Surety Company is here to help in this challenging digital era. Select an affordable coverage package and receive a full service solution that includes:
- The ERISA bond required to protect the assets of the retirement plan from theft;
- Cyber Liability coverage to safeguard your company and plan from covered losses and expenses in the event of a cyber breach; and,
- Fiduciary Liability coverageto protect you and your assets from personal liability.
Colonial Surety Company provides user-friendly, digital and direct service. You can easily and quickly purchase your bonds and related insurance coverage online—and instantly print or e-file them from your desktop—or anywhere.
Colonial Surety Company is in business all across the USA. We are rated “A Excellent” by A.M. Best Company and U.S. Treasury listed.