Cybersecurity—and Lawsuits Too



The disruption and costs for retirement plan sponsors continues long after hacks or other forms of cybercrime invade the retirement plan. Lawsuits are keeping plan sponsors and record keepers busy. Experts urge preventative action and emphasize the importance of employee training.


Reduce The Probability

Though cybersecurity cannot be 100% guaranteed, plan sponsors need to follow the best advice of experts and the Department of Labor. MarketScreener offers this five point summary:


  1. Require that record keepers maintain cybersecurity insurance and have their procedures audited regularly by outside parties. Put these obligations in service agreements.


  1. Thefts can also result from hacking into employee computers at the worksite or when working remotely. Plan sponsors should also maintain cybersecurity insurance and have their procedures audited.


  1. Whenever contact information is changed, send texts and e-mails notices immediately using the prior contact information and alerting the participants to contact the recordkeeper immediately if they did not initiate the changes.


  1. Impose a mandatory delay on payment of any distributions requested immediately after a change in contact information.


  1. Require confirmation of identity beyond passwords, such as photo ID…or specific personal identifiers.


It’s wise for plan sponsors to brush up on the Department of Labor’s cybersecurity guidance, including the pointers for educating employees and plan participants on secure processes . Recent lawsuits against both plan sponsors and record keepers point to failures in some of the basics associated with keeping accounts secure.

Because cyber breaches can quickly lead to allegations of fiduciary breaches, it is increasingly essential for plan sponsors to have both cyber and fiduciary liability insurance. Colonial Surety makes it efficient and affordable for even small businesses to put these protections in place. Obtain and download your Cyber-Fiduciary Liability coverage pack today and you’ll immediately have:


  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach.
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring


Colonial’s Cyber-Fiduciary Pack, also covers defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual  fiduciary breaches of duty in connection with the employee retirement plan.  At Colonial, we make it so efficient and reasonable for plan sponsors to secure insurance, that you can do it in minutes, now:


Cyber and Fiduciary Liability Insurance Here.


Procedural Failures

The Department of Labor’s cybersecurity guidance underscores the link between identity theft and fraudulent distributions and urges training for employees “at least annually,” noting:


Employees are often an organization’s weakest link for cybersecurity. A comprehensive cybersecurity security awareness program sets clear cybersecurity expectations… and educates everyone to recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat. Since identity theft is a leading cause of fraudulent distributions, it should be considered a key topic of training, which should focus on current trends to exploit unauthorized access to systems. Be on the lookout for individuals falsely posing as authorized plan officials, fiduciaries, participants or beneficiaries.


Indeed, much of the cybercrime impacting retirement accounts is the result of low-tech approaches that exploit weak implementation of protocols. For example, here’s the complaint  from one of the lawsuits that has been filed against a plan sponsor and record keeper:


After several unsuccessful attempts to process changes online, a thief called…to change the password, e-mail, address and bank account information for the participant’s account. No notice of the change was sent to the participant’s prior e-mail address or telephone number. The mailing address was not in the same country as the other contacts. A temporary password was mailed to the participant but without notifying the participant by e-mail or text that a temporary password had been requested and mailed out. The mail was intercepted by the thief. Although the SPD indicated that there would be a 14 day wait before a distribution would be made following an address change, no such waiting period was imposed and an immediate lump sum distribution was quickly made. The participant did not discover the theft until she checked her account balance…


Ideally, regular and thorough training and audits to ensure cybersecurity protocols are being followed will protect the retirement plan. However, in the event of a breach—and resulting lawsuit, it’s best to have protection. Colonial’s Protection Pack includes both Fiduciary and Cyber Liability Insurance—providing you with:


  1. Legal defense and coverage for penalties against claims of alleged or actual breaches of fiduciary duties.
  2. Defense against lawsuits and regulatory actions related to a cyber breach.
  3. Expert-led response, notification and crisis management services to prevent a cyber incident from spiraling into a disaster.


Cyber and Fiduciary Protection Right Here.


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.