Fiduciary concerns over plan vulnerabilities to cyber-attacks, cyber theft, and the need for strong cybersecurity measures to protect against those risks are continuing to grow in prominence. The sizeable balances that many 401(k) plan participants have accumulated, and that often reflect many years of diligent savings and careful investment, are attractive targets for cybercriminals. Cybercriminals frequently engage in attempts to defeat plan security procedures by impersonating participants. Those attempts occasionally succeed, allowing fraudsters to abscond with all or most of a participant’s account balance. The loss of funds can be devastating to the affected participant. Such events have also given rise to a number of unsettled legal questions as to whom should bear the financial responsibility for such losses, including whether and how that burden should be allocated among plan service providers, plan sponsors, and other participants. However, theft of plan assets is not the only goal of cybercriminals. Participant-directed retirement plan records contain a plethora of sensitive personal information that can entice hackers interested in perpetrating identity theft and other forms of fraud against participants outside of the plan. As these risks have grown, there has been an increasing focus on the importance of making sure that plan participants are protected against these cybersecurity risks, and on the need to educate participants on the importance of sound “cyber-hygiene” protocols aimed at keeping their accounts secure.
Growing Risks for Plans
According to a 2022 survey by Callan, cybersecurity is already a top concern for plan sponsors, with nearly a third of sponsors polled indicating that they intended to review and audit security practices. Their concerns aren’t unfounded. While the exact number of cyberattacks on retirement plans is unknown, there have been several publicized instances of fraudulent plan account “takeovers” that have led to substantial losses and subsequent lawsuits. As noted below, the Department of Labor (DOL) has stepped up its emphasis on the potential fiduciary implications associated with cybersecurity risks. That focus is likely to grow as the ERISA Advisory Council has indicated an intent to take up the issue of cybersecurity in 2022 and to make recommendations to the DOL on how plans might better protect against these risks.
Multiple Avenues of Attack
Most people know not to share passwords or use public computers to check sensitive information. But risks remain even if participants and fiduciaries follow these basic protocols. One of the most common avenues of attack involves phishing, where a cybercriminal sends a fake message that resembles official correspondence and baits the recipient to enter personal information that may then be used to gain access to accounts. According to Deloitte, 91% of all cyber attacks begin with a phishing email to an unexpected victim.1 In addition to phishing, hackers could target the plan’s hosting servers directly to gain access.
The DOL has issued guidance for plan fiduciaries that outlines their responsibility to ensure their plans are safe and provides best practices for cybersecurity. Since very few plans maintain account records in-house, the guidance comes in the form of “tips” for plan fiduciaries to use when hiring plan recordkeepers and other service providers to make sure strong cybersecurity measures are in place. The DOL expresses the view that the fiduciary duty to prudently select and monitor plan service providers extends to inquiring about the provider’s cybersecurity practices and how those practices compare to prevailing industry standards. The DOL suggestions include inquiring about whether the provider annually audits and reports on adherence to information security, system/data availability, processing integrity, and data confidentiality standards. It also suggests that plan fiduciaries consider the providers “track record” for securely maintaining data and sample service provider's contract clauses addressing cybersecurity matters (e.g., provisions requiring notification of cybersecurity incidents) and that the provider maintains adequate levels of professional liability insurance.
Following the DOL’s cybersecurity tips provides a way for fiduciaries to demonstrate prudence by seeking to assure service providers are well suited to provide adequate levels of safety and security for plan participants.
The DOL issued a short overview of “Online Security Tips” including reminders for participants that address key cyber-hygiene practices, including the use of multi-factor authentication to protect plan accounts.
The DOL issued a 12-part checklist for service providers to include in their cybersecurity program. Items include conducting annual risk assessments, third-party audits, data encryption, and ongoing monitoring and training.
What’s Next? Five Best Practices to Implement in 2023:
- Update RFP templates to include questions about cybersecurity
- Educate committee on guidance as it pertains to their responsibilities
- Identify service providers to whom this guidance applies
- Monitor service provider adherence initially and ongoing
- Educate participants on cybersecurity best practices