It’s happening. Recently, for example, a man in Maryland was indicted for money laundering, after implementing a computer fraud scheme to illegally access $246,390 from a 401k account. No wonder the Department of Labor—and plan sponsors across the country—have ever more to worry about when it comes to cybersecurity responsibilities.
Experts continue to remind us that it’s not that hard for cybercriminals to access retirement funds. Cyber enabled fraud and theft is frequently the result of basic security failures. In fact, according to experts at the National Security Agency, FBI and the Cybersecurity and Infrastructure Security Agency:“Malicious threat actors commonly take advantage of incorrect access privileges, unenforced multi-factor authentication (MFA) or unpatched software during the initial phase of an attack.” As the NSA’s director of cybersecurity sums up: “No need for fancy [zero]-days when these weak controls and misconfigurations allow [adversaries] access….”
The case in Maryland offers an important reminder for retirement plan sponsors about the importance of being prepared for cyber—and fiduciary—breaches. As 401k Specialist Magazine reports, a man hacked into the 401k account of an employee at a New Jersey-based company and then worked with others: “They…added a bank account belonging to another individual to the victim’s 401k account without the victim’s knowledge or authorization. It was designated as the account to receive withdrawals from the victim’s 401k account, and a total of $246,390 was transferred to the unauthorized bank account.” The proceeds were then converted into cashier’s checks and deposited into other bank accounts, and ultimately withdrawn.
Obligated To Mitigate
Plan sponsors are urged to remember that the Department of Labor’s 2021 cybersecurity guidance for plan sponsors shared best practices and pointers for hiring and monitoring service providers, managing cybersecurity and educating participants on secure processes for accessing their accounts. Ultimately, as law experts point out, the DOL’s guidance also means “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
Because cyber breaches can result in allegations of fiduciary breaches for plan sponsors, being protected with both cyber and fiduciary liability insurance is critical. Colonial Surety makes it efficient and affordable for even small businesses to put these protections in place immediately. Obtain and download your Cyber-Fiduciary Liability coverage pack today and you’ll immediately have:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach.
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Colonial’s Cyber-Fiduciary Pack, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual fiduciary breaches of duty in connection with the employee retirement plan. At Colonial, we make it so efficient and reasonable for plan sponsors to secure insurance, that you can do it in minutes, now:
Not A Techie or Tech Business?
Cybercrime impacts all of us—and most of it is carried out with fairly low-tech approaches. For example, according to Gartner Research, about 40% of breaches are caused by “well known misconfiguration of common control…Both advanced persistent threats (APTs) and common off-the-shelf malware exploit these configuration mistakes to compromise their victims…” In other words, weak security practices and protocols are throwing out the welcome mat for cybercrime. Common examples of these weak practices include failure to enforce multi-factor authentication and continued use of outdated software.
Obviously, cybercrime has also become easier given the proliferation of technology in our lives and work. Whether we think we are in the tech business or not, we are. These days, the owners of even the smallest of businesses or start ups are likely to have customer information on their phones, billing information on their laptops and so on. That’s why legal experts recommend cybersecurity insurance for “just about every business,” noting: “Any business, large or small, needs cybersecurity insurance if it stores sensitive information such as cell phone numbers, credit card information, driver license numbers, social security numbers, or health information. In other words, just about every business…should have cybersecurity insurance.”
When it comes to retirement plan sponsorship, companies must be ever more careful about protecting everyone’s assets. As one expert underscores: “Most small businesses are privately owned, and the business owner is often a fiduciary to the plan. Fiduciaries are personally liable for the decisions they make. They don’t get to stand behind the corporate veil of protection if they make the decision to offer a plan to their employees. Their personal assets are exposed to liability.” Why take unnecessary risks? Colonial’s Protection Pack includes both Fiduciary and Cyber Liability Insurance—providing you with:
- Legal defense and coverage for penalties against claims of alleged or actual breaches of fiduciary duties.
- Defense against lawsuits and regulatory actions related to a cyber breach.
- Expert-led response, notification and crisis management services to prevent a cyber incident from spiraling into a disaster.
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.