© 2024 M&T Bank and its affiliates and subsidiaries. All rights reserved.
Wilmington Trust is a registered service mark used in connection with various fiduciary and non-fiduciary services offered by certain subsidiaries of M&T Bank Corporation including, but not limited to, Manufacturers & Traders Trust Company (M&T Bank), Wilmington Trust Company (WTC) operating in Delaware only, Wilmington Trust, N.A. (WTNA), Wilmington Trust Investment Advisors, Inc. (WTIA), Wilmington Funds Management Corporation (WFMC), Wilmington Trust Asset Management, LLC (WTAM), and Wilmington Trust Investment Management, LLC (WTIM). Such services include trustee, custodial, agency, investment management, and other services. International corporate and institutional services are offered through M&T Bank Corporation’s international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M&T Bank. Member, FDIC. 
M&T Bank Corporation’s European subsidiaries (Wilmington Trust (UK) Limited, Wilmington Trust (London) Limited, Wilmington Trust SP Services (London) Limited, Wilmington Trust SP Services (Dublin) Limited, Wilmington Trust SP Services (Frankfurt) GmbH and Wilmington Trust SAS) provide international corporate and institutional services.
WTIA, WFMC, WTAM, and WTIM are investment advisors registered with the U.S. Securities and Exchange Commission (SEC). Registration with the SEC does not imply any level of skill or training. Additional Information about WTIA, WFMC, WTAM, and WTIM is also available on the SEC's website at adviserinfo.sec.gov. 
Private Banking is the marketing name for an offering of M&T Bank deposit and loan products and services.
M&T Bank  Equal Housing Lender. Bank NMLS #381076. Member FDIC. 
Investment and Insurance Products   • Are NOT Deposits  • Are NOT FDIC Insured  • Are NOT Insured By Any Federal Government Agency  • Have NO Bank Guarantee  • May Go Down In Value  
Investing involves risks and you may incur a profit or a loss. Past performance cannot guarantee future results. This material is provided for informational purposes only and is not intended as an offer or solicitation for the sale of any security or service. It is not designed or intended to provide financial, tax, legal, accounting, or other professional advice since such advice always requires consideration of individual circumstances. There is no assurance that any investment, financial or estate planning strategy will be successful.

Fiduciary concerns over plan vulnerabilities to cyber-attacks, cyber theft, and the need for strong cybersecurity measures to protect against those risks are continuing to grow in prominence. The sizeable balances that many 401(k) plan participants have accumulated, and that often reflect many years of diligent savings and careful investment, are attractive targets for cybercriminals. Cybercriminals frequently engage in attempts to defeat plan security procedures by impersonating participants. Those attempts occasionally succeed, allowing fraudsters to abscond with all or most of a participant’s account balance. The loss of funds can be devastating to the affected participant. Such events have also given rise to a number of unsettled legal questions as to whom should bear the financial responsibility for such losses, including whether and how that burden should be allocated among plan service providers, plan sponsors, and other participants. However, theft of plan assets is not the only goal of cybercriminals. Participant-directed retirement plan records contain a plethora of sensitive personal information that can entice hackers interested in perpetrating identity theft and other forms of fraud against participants outside of the plan. As these risks have grown, there has been an increasing focus on the importance of making sure that plan participants are protected against these cybersecurity risks, and on the need to educate participants on the importance of sound “cyber-hygiene” protocols aimed at keeping their accounts secure.

Growing Risks for Plans

According to a 2022 survey by Callan, cybersecurity is already a top concern for plan sponsors, with nearly a third of sponsors polled indicating that they intended to review and audit security practices. Their concerns aren’t unfounded. While the exact number of cyberattacks on retirement plans is unknown, there have been several publicized instances of fraudulent plan account “takeovers” that have led to substantial losses and subsequent lawsuits. As noted below, the Department of Labor (DOL) has stepped up its emphasis on the potential fiduciary implications associated with cybersecurity risks. That focus is likely to grow as the ERISA Advisory Council has indicated an intent to take up the issue of cybersecurity in 2022 and to make recommendations to the DOL on how plans might better protect against these risks.

Multiple Avenues of Attack

Most people know not to share passwords or use public computers to check sensitive information. But risks remain even if participants and fiduciaries follow these basic protocols. One of the most common avenues of attack involves phishing, where a cybercriminal sends a fake message that resembles official correspondence and baits the recipient to enter personal information that may then be used to gain access to accounts. According to Deloitte, 91% of all cyber attacks begin with a phishing email to an unexpected victim.1 In addition to phishing, hackers could target the plan’s hosting servers directly to gain access.

DOL Guidance*

The DOL has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity. Since very few plans maintain account records in-house, the guidance comes in the form of “tips” for plan fiduciaries to use when hiring plan recordkeepers and other service providers to make sure strong cybersecurity measures are in place. The DOL expresses the view that the fiduciary duty to prudently select and monitor plan service providers extends to inquiring about the provider’s cybersecurity practices and how those practices compare to prevailing industry standards. The DOL suggestions include inquiring about whether the provider annually audits and reports on adherence to information security, system/data availability, processing integrity, and data confidentiality standards. It also suggests that plan fiduciaries consider the providers “track record” for securely maintaining data and sample service provider's contract clauses addressing cybersecurity matters (e.g., provisions requiring notification of cybersecurity incidents) and that the provider maintains adequate levels of professional liability insurance. 

Following the DOL’s cybersecurity tips provides a way for fiduciaries to demonstrate prudence by seeking to assure service providers are well suited to provide adequate levels of safety and security for plan participants.

DOL Resources

Participants

The DOL issued a short overview of “Online Security Tips” including reminders for participants that address key cyber-hygiene practices, including the use of multi-factor authentication to protect plan accounts.

Recordkeepers

The DOL issued a 12-part checklist for service providers to include in their cybersecurity program. Items include conducting annual risk assessments, third-party audits, data encryption, and ongoing monitoring and training.

What’s Next? Five Best Practices to Implement in 2023:

  • Update RFP templates to include questions about cybersecurity
  • Educate committee on guidance as it pertains to their responsibilities
  • Identify service providers to whom this guidance applies
  • Monitor service provider adherence initially and ongoing
  • Educate participants on cybersecurity best practices 

Consult with our team of experienced professionals to help navigate the complexities associated with administering a retirement plan. 

*The DOL has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity.

[1] https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html

Sources:

https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf

https://www.plansponsor.com/cybersecurity-preventing-plan-leakage-top-mind-sponsors/

https://www.cnbc.com/2021/03/16/labor-department-falls-short-on-401k-cyber-protections-gao-says.html

https://www.techtarget.com/searchsecurity/feature/Cryptocurrency-cyber-attacks-on-the-rise-as-industry-expands

https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf

 

This content is sourced by RPAG. Services provided by Wilmington Trust. N.A.

This article is for educational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or as a determination that any investment strategy is suitable for a specific investor. Investors should seek financial advice regarding the suitability of any investment strategy based on their objectives, financial situations, and particular needs. This article is not designed or intended to provide financial, tax, legal, accounting, or other professional advice since such advice always requires consideration of individual circumstances. If professional advice is needed, the services of a professional advisor should be sought.

Stay Informed

Subscribe

Sign up here to receive insights designed to help you succeed.

Sign Up Now

WTU Newsletter Card
WTU Newsletter Handler