It’s no secret that both the money and data in retirement plans offer cybercriminals lucrative targets. As cybersecurity breaches threatening retirement accounts become more common, so too do lawsuits brought against retirement plan sponsors on behalf of plan participants. Labor law attorneys urge precautionary measures, reminding sponsors that under ERISA, they retain the ultimate responsibility for safeguarding plan assets, and can be held personally liable for shortcomings.
Appropriate Precautions Advised
Given the rise of cybersecurity threats, and the trillions of dollars in defined contribution plans, like 401ks, the Department of Labor (DOL) expects plan sponsors to adhere to its Cybersecurity Guidance, issued with this message: “ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.” Labor and employment law specialists at Littler remind retirement plan sponsors: “Although employers generally outsource administration of ERISA plans to service providers, employers retain a fiduciary duty to manage the plan for the benefit of the participants. The DOL appears to interpret this to mean that employers have a duty to safeguard plan data and assets from cybersecurity risks.” In addition to adhering to DOL expectations around cybersecurity, it is critical for plan sponsors to be aware that following cybersecurity incidents, lawsuits on behalf of plan participants are on the rise:
After a hack impacting an ERISA plan’s assets or data, plan participants increasingly respond with litigation. Their targets can include the employer that sponsors the plan, plan administrators, and other fiduciaries. These suits can involve serious allegations, including breaches of the fiduciary duties ERISA imposes, for alleged failures to maintain adequate cybersecurity measures. The plaintiffs’ bar representing participants in such lawsuits is specialized and opportunistic…..Plan sponsors can therefore find themselves targeted by lawsuits questioning their fiduciary practices. As these lawsuits continue, and as the theories pursued in litigation continue to evolve, fiduciaries should understand that their data security practices (and their supervision of the data security practices used by the service providers they hire) could become the subject of litigation.
Attorneys at Buchanan Ingersoll & Rooney also underscore that failure to mitigate cyber threats can result in fiduciary breach allegations which put the personal assets of sponsors at risk: “Fiduciaries hold significant control over the safety and integrity of a plan’s assets; compliance with ERISA fiduciary duties requires shielding plan assets from cyber threats….If plan fiduciaries fail to comply with strict ERISA duties regarding a plan’s assets, they can be found personally liable for breaches of their fiduciary obligations.”
Given the rising stakes, retirement plan sponsors will want to carefully review the Department of Labor’s three-prong guidance on cybersecurity: Tips for Hiring a Service Provider, Cybersecurity Program Best Practices, and Online Security Tips. To further guard against allegations of inadequate attention to cybersecurity, attorneys at Littler suggest these steps for plan sponsors:
- Review and, if necessary, enhance vetting programs for service providers to their plans;
- Review contracts with plan service providers to ensure sufficient data security protocols have been memorialized;
- Provide plan committee members with training on cybersecurity topics to ensure they can adequately negotiate and monitor service provider security measures;
- Audit plan service providers to ensure they are living up to their promised cybersecurity commitments; and
- Identify minimum cybersecurity protocols and insurance coverage provisions that will be accepted by plan service providers before entertaining bids or negotiations from vendors.
Attention to cybersecurity is critical for every business, and because plan sponsors from small businesses face the biggest implementation challenges, Colonial Surety Company offers an efficient, affordable and clear solution. Specifically, for a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with a Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Colonial’s Cyber Liability+ Fiduciary Liability Insurance addresses numerous DOL recommendations by explicitly covering the plan and the business, and includes:
- Expert-led response services following a data breach.
- Protection from lawsuits and regulatory actions related to the breach
- Legal services.
- Computer forensic services.
- Public relations and crisis management expenses.
- Notification services.
- Call Center services.
- Credit and Identity monitoring
Plan sponsors can obtain this comprehensive coverage online in minutes today, or opt to speak directly to one of Colonial Surety Company’s knowledgeable ERISA experts for further support. Mitigate threats to the retirement plan–and reduce your personal liabilities before another day goes by:
Cyber Liability Insurance+ Fiduciary Liability Insurance
Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.