Retirement Plan Sponsors Need Strong Cybersecurity Defenses

In October, a former participant in the Estee Lauder 401(k) plan sued the plan sponsor and plan providers for failing to safeguard her retirement account.

According to the complaint, in September and October 2016, an unknown person or persons stole the participant’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan.

The lawsuit highlights the importance of retirement plan sponsors having robust cybersecurity defenses.

The two areas of cybersecurity defense that sponsors should be mindful of are breaches and fraud, says Lynda Abend, chief data officer with John Hancock. “A breach is where there is a compromise to your information systems, and there is a large extraction of data,” she says. “Fraud is when that data is used to perpetrate a financial crime.”

Surprisingly, “there is no formalized guidance on cybersecurity, although a number of regulations are coming out,” Abend says. “There are the GDPR privacy regulations in Europe. California is coming out with the Consumer Protection Act, which will impose fines on corporations with data breaches.”

Should a breach or fraud occur, “a sponsor could be liable if the claimant establishes that it failed to follow a prudent process to safeguard the plan data,” says Joan Neri, counsel in Drinker, Biddle & Reath’s ERISA practice. “That is how a liability could develop, and the consequences could be severe. The sponsor would need to make the plan whole, to send notifications about the breach and fraud to participants, and to provide them with identity theft protection. There would be business interruption and reputational risk.”

Neri says sponsors need to be mindful about the sensitive data they manage on behalf of retirement plan participants: their dates of birth, Social Security numbers and account balances. Breaches could occur through phishing, malware or a stolen laptop, she notes.

The first thing that sponsors should do is to ensure that their fiduciary insurance policies have riders that cover cyber breaches, Neri says. “A lot of insurance companies are now offering standalone cyber insurance that is far more complete than a rider,” she adds. “They include things such as access to cyber breach response experts, credit monitoring and technical assistance with public relations.”

Related to receiving underwriting for such insurance are measures sponsors should be taking to avoid a breach or fraud, she says. “Underwriters look at three major factors. First, what sponsors are doing in the way of careful hiring practices and whether they are providing training on cybersecurity best practices. Second, they look at how data is transmitted and who has access. Finally, they scrutinize sponsors’ processes for hiring service providers. There is a whole network of third parties involved in the management and administration of a retirement plan. It is imperative for sponsors to prudently select and monitor their service providers.”

When hiring service providers, sponsors should also look to see whether or not they have a clause about how they handle cybersecurity in their contract, Neri says. “The contract should address limitations and restrictions on how the service provider is using the plan data. They should be encrypting data and destroying data they no longer use, and, if they have subcontractors, it should spell out how they interact with them.”

Most importantly, it should detail “how they will respond to a cybersecurity breach and how they will take efforts to prevent future occurrences,” Neri says. “They should also state that they will preserve evidence because it might be needed to track down the person who perpetrated the breach. It should also include language that they agree to be liable in the event of a breach, and that they will share the costs.”

Indeed, many recordkeepers now offer cyber guarantees that make up for losses up to a certain point, says David Kaleda, a principal in the fiduciary responsibility practice group at Groom Law Group, Chartered. “In a typical recordkeeper agreement or third-party agreement, there are indemnification and warranty clauses,” he says. “Sponsors should check to see if they include provisions that will make a plan whole again” in the event of fraud.

Service providers should also have conducted a SOC (Service, Organization, Control) 2 audit, according to Abend. “Those audits look at their security, availability, processing, confidentiality and privacy of data—and their controls around them,” she says. 

SOC 2 reports are derived from the American Institute of Certified Public Accountants (AICPA) Trust Service principles, Abend explains. They were developed to provide assurance on internal IT controls related to information handling in the Cloud in order to minimize risk and exposure.

In order to handle all of this, it is important to work with an Employee Retirement Income Security Act (ERISA) attorney who is familiar with cybersecurity, Neri says.

It is also important for sponsors to educate participants on best practices for protecting their data, says Jason Lish, chief security, privacy and data officer for Advisor Group’s advisor solutions team. “They can encourage participants to set up multifactor authentication and other types of anomaly identification,” Lish says.

Just as important is “having a cybersecurity management plan in place whereby all of the retirement plan fiduciaries understand what that plan is and how it is executed,” Abend says.