Retirement plans may have thousands of participants and billions of dollars in plan assets. Unfortunately, these large sums of money are attractive to bad actors who look to prey on unknowing victims by fraudulently accessing funds. Plan administrators, as fiduciaries of retirement plans, are wise to understand their legal obligations and best practices related to the security measures they must implement and maintain to protect these funds from cybercrimes.

Recent Cyber Attacks Against Retirement Plans

Earlier this year, in Bartnett v. Abbott Laboratories, et al. a retirement plan participant (Heide Bartnett) filed a lawsuit against her employer, Abbott Laboratories, the plan administrator, and the plan’s recordkeeper, Alight Solutions, LLC. According to the complaint, an individual impersonating the plaintiff attempted to access her retirement account by selecting the “forgot my password” prompt on the plan’s online recordkeeping platform. After requesting that a one-time security code be sent to the participant’s email account, which the impersonator had already improperly accessed, the impersonator gained access to the participant’s online retirement account and changed its password. Soon after, a new bank account was added to the participant’s retirement plan profile to which funds could be directly deposited from the participant’s retirement plan account. Two days later, the impersonator called Abbott’s service center to inquire about the transaction that he or she was (illegally) facilitating and was told that a distribution could not be made to the new bank account for seven days. Meanwhile, instead of attempting to contact the participant via phone or email (which was the plaintiff’s preferred method of communication), Abbott sent her a “snail mail” notice of the newly added bank account. By the time the participant received the notice, the impersonator had already looted her retirement account. Only a small fraction of the funds taken were recovered and the plaintiff filed a lawsuit seeking to recover $245,000, plus interest and other fees for the alleged breaches of fiduciary duty.

What Can Be Done To Stop Cybercrimes?

Although Abbott Laboratories is still a pending case, the plaintiff’s allegations are a stark reminder of the danger and risk that cybercriminals pose to retirement plans. Accordingly, plan administrators should ensure that the technical, physical, and administrative safeguards they have implemented to protect the confidentiality and integrity of plan assets satisfy basic legal requirements and meet industry security standards. Here are five areas that can serve as a starting point for a cybersecurity review in the retirement plan context:

First, plan fiduciaries should question the cybersecurity policies and procedures of their retirement plan recordkeepers and be aware of the liabilities they face for the shortcomings of their recordkeepers. Inquire about the recordkeeper’s cybersecurity capabilities and the safeguards in place to deter losses due to bad actors. In particular, inquire as to the access controls the recordkeeper has implemented to limit and verify access to an individual’s account. How are the controls created? How often are they tested? Have they ever been compromised, and if so how? What is the recordkeeper’s password policy for account access? Does the recordkeeper require multifactor authentication?

Second, identify whether the plan fiduciaries and the recordkeeper have an adequate level of cybersecurity insurance. It is also worth determining whether any existing insurance or fidelity bond coverage will provide financial relief in the case of a cybersecurity breach. If basic insurance coverage does not apply to forgery, consider a rider for additional coverage.

Third, request a copy of the recordkeeper’s data breach response plan and identify how often the recordkeeper undertakes table-top exercises or similar activities to test its response capabilities. It is important to identify where the plan sponsor aligns within the recordkeeper’s plan and even consider joint data breach-type exercises. If permitted, seek to identify any outside service providers and counsel that the recordkeeper has retained for such emergencies and ensure that they are qualified and capable to respond to data breaches upon a moment’s notice.

Fourth, require the recordkeeper to undergo third-party security and vulnerability testing so they can identify and remediate any aspect of their security program that presents a risk. It is especially important to ensure that high or critical risk vulnerabilities are resolved within hours or days (and not weeks or months). Accordingly, ensure that the recordkeeper has identified (in writing) an official who is fully responsible for the security of the plan’s assets. Accountability is a key aspect of any security program.

Fifth, educate plan participants. Let them know they can take an active role in protecting their own plan assets. As basic as it may seem, remind participants not to share their login or personal information with anyone. The allegations against Abbott Laboratories explain that an email account was compromised which allowed the bad actor to request authentication to the compromised email. Once the false authentication was made, the recordkeeper processed the request to have an additional bank account added. Savvy participants can help play an active role in the protection of their own account assets.

A Tough Road Ahead

Careful considerations by plan administrators have become especially important in light of the COVID-19 pandemic because there has been a steady increase in certain cyber-related crimes during this time. The recently enacted CARES Act provides many retirement plan participants with the opportunity to take large in-service distributions and loans, and such distributions and loans are ripe for the nefarious acts which were the basis for the Abbott Laboratories case. As a result, plan administrators need to stay vigilant and ahead of the curve when it comes to cybersecurity protections.

Print:
EmailTweetLikeLinkedIn
Photo of Steven Stransky Steven Stransky

As a partner in the firm’s Business Litigation, Privacy & Cybersecurity, and Government Contracts groups, Steve primarily focuses on advising clients on complex national and international privacy and information security issues. He assists clients in devising strategies to assess and mitigate cybersecurity risks…

As a partner in the firm’s Business Litigation, Privacy & Cybersecurity, and Government Contracts groups, Steve primarily focuses on advising clients on complex national and international privacy and information security issues. He assists clients in devising strategies to assess and mitigate cybersecurity risks and with maintaining compliance with federal, state, and foreign laws and regulations governing data privacy and security. He provides guidance on regulatory compliance and defends clients’ interests in litigation and government enforcement actions in the areas of data privacy and cybersecurity. In addition, Steve assists defense contractors and other private-sector businesses in satisfying cybersecurity standards issued by the federal government and in developing and maintaining insider threat programs.

Photo of Mark Kroboth Mark Kroboth

Mark is an associate in the Employee Benefits & Executive Compensation practice group. He focuses his practice on assisting public and private companies of all sizes with the design, implementation and maintenance of tax qualified pension, 401(k) and profit-sharing plans, non-qualified deferred compensation…

Mark is an associate in the Employee Benefits & Executive Compensation practice group. He focuses his practice on assisting public and private companies of all sizes with the design, implementation and maintenance of tax qualified pension, 401(k) and profit-sharing plans, non-qualified deferred compensation plans, change in control plans and agreements, equity compensation arrangements and health and welfare benefit plans.

Photo of Brian J. Lamb Brian J. Lamb

Brian is the leader of the firm’s Business Litigation practice group.  He represents companies and their directors and officers in complex business disputes, including ERISA litigation, securities and shareholder litigation, corporate governance and fiduciary disputes, and litigation arising out of mergers, acquisitions and…

Brian is the leader of the firm’s Business Litigation practice group.  He represents companies and their directors and officers in complex business disputes, including ERISA litigation, securities and shareholder litigation, corporate governance and fiduciary disputes, and litigation arising out of mergers, acquisitions and tender offers, and complex contract disputes. Brian also has significant experience litigating tax controversies against the federal government.

Photo of Julia Love Julia Love

Julia has more than 20 years of experience providing proactive and practical advice to businesses on all aspects of employee benefits and executive compensation, including ERISA compliance, defined benefit and defined contribution retirement plans, health and welfare plans, executive employment agreements and non-qualified…

Julia has more than 20 years of experience providing proactive and practical advice to businesses on all aspects of employee benefits and executive compensation, including ERISA compliance, defined benefit and defined contribution retirement plans, health and welfare plans, executive employment agreements and non-qualified deferred compensation arrangements. Julia advises publicly traded companies, privately held companies and non-profit corporations in the Cleveland, Ohio area and nationwide from a variety of industries including technology, banking, retail, and manufacturing which gives her insight into best practices and emerging trends in the industry.