Cybersecurity for Plan Fiduciaries: Focus on Account Theft

This spring, the Department of Labor (DOL) put plan fiduciaries on notice that they have a duty to mitigate cybersecurity risk. If the latest news on cyber incidents hadn’t been enough to rouse those responsible for the safety of participant accounts, the DOL’s guidance is stirring the waters. 

Retirement account theft is one of the risks cropping up in the employee benefits community. If you are a plan sponsor or a plan fiduciary, it’s important to make sure you’ve thought about how to address this risk that is now well above the horizon.

Retirement Account Theft: When Lightning Strikes

Imagine one of your retirees, who faithfully contributed to her defined contribution (DC) plan account for a lifetime, logs in online to check her latest earnings. The account is empty—a zero balance. She thinks, “there must be some mistake,” so she calls the recordkeeper to point out the error. 

The recordkeeper’s call center tells her there is no error; the balance is zero. The call center explains that the retiree herself requested and received a full distribution of the account. Over the next few hours, an absolute nightmare unfolds. 

Your retiree’s personal email was hacked. Maybe the hacker was able to get into her email account through a backdoor vulnerability in the email provider’s system. Maybe he just guessed it through automated repetitive password generation. Maybe the hacker already knew the retiree’s email password because she reused that same password for several online merchant accounts. If just one of those merchant accounts was hacked, the retiree’s email address, username and password might have been listed for sale on the dark web. Either way, the hacker got into the retiree’s email and was lurking, but the retiree didn’t even know.

The hacker could have learned other personal information about the retiree once he was in her email, including that she has a DC plan account and the location of that account, so he logged into her account. Maybe he already had the account password because the retiree used the same password as her email password. Maybe the hacker didn’t have the password and requested a password reset using the retiree’s email. He then erased the password change notifications and any other security alerts sent by the recordkeeper to the retiree’s email. Once into the retirement account, the hacker swiftly took steps to change the minimal amount of information necessary to request and receive a distribution and went through with the request.

It’s logical to think that the distribution can be traced to the bank account that received the distribution. Unfortunately, it’s not so easy. Most likely, as soon as the money landed in that account, it was transferred overseas. When that overseas transfer starts, there is very little time to recover the money—hours, days, maybe three days at most—and then it’s gone. Worse, there is no federal insurance in place to repay the loss and no Federal Deposit Insurance Corporation (FDIC) guarantee. The retiree learns she has lost a lifetime of savings.

One Lightning Strike Is Too Much

Unfortunately, retirement accounts are a tempting target for cybercriminals since balances might be large. Plan fiduciaries who are aware of account theft risk likely know about it because of a very few well-publicized cases that proceeded to litigation. But other instances of retirement account theft were probably not reported, perhaps because the plan sponsor or recordkeeper restored the account.

Whether in the public eye or not, retirement account thefts are rare, but they do happen—and have been happening for a long time. The salient point is this: One case can take your participant and you down a rabbit hole that might not have a great ending. The recordkeeping industry has built and operates vigorous systems to protect participant accounts. But no matter how vigilant your plan’s recordkeeper is, plan sponsors, plan fiduciaries and plan participants can and should take steps to protect retirement accounts from cyber theft. The recent DOL guidance is designed to outline what those steps might be.

Protecting Participants

What can a plan sponsor or plan fiduciary do? To start, they should arm participants to be part of the solution through education. Although the Employee Retirement Income Security Act (ERISA) does not require cybersecurity education, it can be an invaluable tool, and there are many issues that a plan sponsor or plan fiduciary might consider educating their participants about.

First, one of the most important steps a participant can take to protect her retirement savings is to register her account online and monitor it. Some participants think that it might be safer not to establish their online account, but that is not true. If a participant hasn’t registered her own account, it’s easier for a criminal to register it for that participant.

Further, when a participant registers her online account, she should provide the recordkeeper with her full contact information. If a participant provides multiple points of contact—such as email addresses or phone numbers—she is more likely to receive security alerts even if one of her email accounts is compromised. It’s important for a participant to monitor and respond to security alerts as well. A participant’s online ownership and oversight of her account is sometimes referred to as “naming and claiming” the account and is an important protective step.

Second, participants should use complex passwords that are unique to their account. For example, if a participant uses a password for a routine app and that app is breached, that password has been exposed. An exposed password may later be sold on the dark web. It is cheap and easy for the purchaser to run that password through millions of databases, including email accounts and DC plan recordkeeping platforms, to see if lighting will strike.

Third, plan fiduciaries and participants should consider adopting enhanced security practices available from their recordkeepers. A common start is multifactor authentication. Multifactor identification as a prerequisite to online access is a strong tool for protecting against fraud. Plan participants should be educated about the value of multifactor identification. 

Fourth, plan participants should use good online hygiene as well. No participant should log in to her retirement account in a public place where she can be recorded entering her password. Further, a participant logging on to his retirement account should think carefully before using potentially unsecure public WiFi to do so. Other sources of vulnerability include phishing attacks. Participants should, as a matter of course, never click on links or respond to requests for confidential information. Participants should keep their home computer and smartphone software up to date by installing any recommended software patches. 

Finally, one great way for an ERISA fiduciary to educate participants about online security is to distribute the DOL’s “Online Security Tips” directly to participants. These tips teach participants how to reduce the risk of fraud and loss to retirement accounts. Some plan sponsors have already put these tips on their websites and have sent them to participants by mail. Others are even including them in summary plan descriptions (SPDs).

Account Guarantees

Some recordkeepers provide “account guarantees” or other programs to protect participant accounts from fraudulent distributions. When selecting and monitoring their recordkeepers, plan fiduciaries can check with their recordkeepers to see what guarantees they provide. Sometimes there are conditions to the guarantee (e.g., checking your account balance at least once a month) that can be communicated to participants. And, as always, where possible, getting a service provider’s guarantee in writing can benefit both plan fiduciaries and participants.

Conclusion

Don’t let lightning strike in your plan. If you are an ERISA fiduciary, you play a key role in helping your participants guard against the theft of their accounts at the hand of cybercriminals. Take the steps noted above and stay abreast of developments in this rapidly evolving area. 

Jeanne Klinefelter Wilson is a principal with Groom Law Group. She has served as ERISA [Employee Retirement Income Security Act] counsel for over 15 years. Wilson led the Department of Labor (DOL)’s Employee Benefits Security Administration (EBSA) from 2017 until earlier this year in the roles of acting assistant secretary and deputy assistant secretary.