Editor's note: A spokesperson for Nationwide says that the breach is in fact not being investigated as a cyber attack but as a case of fraud. According to a report in the Chicago Tribune last year, "The theft was apparently undertaken by a person or group who accessed personal information and apparently created a web profile to take out a loan from the retirement account, officials said."

Another big hit targeted a grocery workers union pension plan in St. Louis, with hackers demanding a three-bitcoin (about $2,000) digital currency ransom to return control of the United Food and Commercial Workers (UFCW) Local 655 pension plan’s computer servers.

Among the data at risk were employee names, birthdates, Social Security numbers and bank information. While the union refused to knuckle under and pay ransom (it had a backup system), it did end up footing the bill for a year of credit monitoring and theft restoration services.

But in another case, the University of Massachusetts Amherst was on the hook for a $650,000 penalty and had to follow a corrective action plan after a malware infection targeting the university's employee health care plan exposed the sensitive health information of 1,500 people in a potential violation of the Health Insurance Portability and Accountability Act (HIPAA).

Why so much? The Department of Health and Human Services found that the university had failed to accurately assess the risk of malware infection and adopt procedures to secure its data.

According to Schelberg, benefit plans “are particularly susceptible to cyber-risks because they store large amounts of sensitive employee information and share it with multiple third parties.” And even though security measures may not be foolproof, cyber-risks “can be managed.”

It could be argued, he said, that it’s actually within a plan trustee's fiduciary duties not only to prepare for a possible cyberattack but also to ensure that any breach results in as little exposure, and cost, as possible.

Some actions he suggested sponsors take to protect plan data include the following:

• Developing and implementing a framework to address cybersecurity issues

• Addressing third-party vendor vulnerabilities that could add risk, especially for electronic transfer of sensitive data to third parties

• Backing up sensitive data, then storing it off network where it is not accessible to hackers

• Boosting passwords, including adding multifactor authentication for accessing data systems

• Increasing investment in security software and systems

• Involving boards of directors more directly in security matters

• Considering the purchase of cyberliability insurance

Sponsors must also be current on the HIPAA requirements for notification of people whose health information may have been breached, even if a third party is involved, as well as for ERISA requirements for notification and for other actions in the event of a security breach.

And in the case of ERISA, the process could be far more complicated than sponsors believe.

In the report, Kristen Mathews, another partner in Proskauers New York City office, was cited saying that benefit plans are affected by the laws of states where health plan enrollees or retirement plan participants live—not just the state where the company is headquartered or where the plan is administered.

She pointed out that pension plans could be affected by security laws in any state in which a retiree or beneficiary resides.