Cyber (In)Security: Why Retirement Plans Are at Risk and How to Protect Them

With 401(k) plans holding trillions of dollars in assets — along with personal information such as social security numbers, bank account information, and more — it’s no wonder they’ve been subject to recent cyberattacks. As fiduciaries, advisors and plan sponsors are wondering what exactly they are liable for and how to protect their plans. Vestwell’s December 18 panel, featuring cybersecurity expert Joe Pampel and retirement law expert Jason C. Roberts, explored this very topic.

What are fiduciaries liable for?

As of now, ERISA and relevant case law are silent about the extent to which fiduciaries are liable for data security violations, though there are numerous state and federal law theories that may hold them liable for a variety of monetary damages. As the law in this area evolves, the following legal principles are becoming well-settled:

  1. Protect plan data. Plan fiduciaries are required to protect all plan assets. Although it is unclear whether participant data is considered a “plan asset,” fiduciaries should be cautious and take reasonable steps to keep sensitive plan data out of criminals’ hands.
  2. Vet service providers. Fiduciaries must prudently select service providers, such as their payroll vendor and recordkeeper. Part of selecting these vendors is asking about how they protect participants’ personal information and understanding their overall security procedures.
  3. Ensure other fiduciaries don’t breach their duties and take steps to remedy any known breach. This is a mouthful, but it simply means that advisors and plan sponsors should make sure other fiduciaries fulfill their duties and, if there is a security breach, take the necessary remediation actions, which may include replacing the service provider.
Selecting the right providers

We’ve already addressed how plan fiduciaries are responsible for vetting their service providers, and since cybersecurity is a critical part of the selection process, it’s important to ask the right questions.

  1. How do they manage data? This can be as simple as asking providers how information flows into and out of the recordkeeping system and who has access to personal information. Ask if the data is stored in the United States or abroad and how they back data up, such as whether it’s stored on backup tapes or in the cloud. Ask about the vendor’s background screening of its employees and how often those checks are updated.
  2. Do they offer contractual protections? Plan fiduciaries should include contractual protections to hold third parties liable for security breaches. This can include things such as requiring the provider to notify you within a few days of discovering a data incident as well as verifying sufficient cybersecurity insurance coverage.
  3. Have they had any historical breaches? In addition to asking providers what steps they are currently taking to prevent attacks, ask them about any breaches they have had in the past, how they were resolved, and how often they undergo security audits. Also ask these questions of any subcontractors they use, as those are often overlooked in the vetting process.
Protecting your own business

In addition to selecting secure vendors, plan sponsors should also make sure they are taking necessary steps to protect their own plans by:

  1. Getting insurance. Just like third party vendors, sponsors can and should obtain cybersecurity insurance to help protect assets in case of a breach of its own security systems.
  2. Monitoring plan statements. Sponsors should review plan activities such as unusual and/or large withdrawals, and educate participants to do the same.
  3. Ensuring data security. Just as one would ask a service provider about its processes, it’s important to understand how sensitive data is shared internally. Sponsors should restrict access to only those employees who need it.
  4. Reviewing providers (at least) annually. Sponsors should use the steps above to analyze providers’ security practices at least once per year, if not more often.
  5. Educating employees. Employees should receive training at least annually on ways to mitigate the risk of a cyberattack. This includes things such as picking complicated passwords, implementing multi-factor authentication, monitoring account activity, and only accessing their plan on secure devices.

Although ERISA does not include any specific rules when it comes to cybersecurity, fiduciaries are responsible for protecting their retirement plans. From restricting access to plan data to properly vetting service providers, there are practical steps advisors, plan sponsors, and even participants can take to mitigate the risk of a cyberattack.