Cyberattacks are on the rise: Plan sponsors, is your retirement plan protected?

Today, the rapid evolution of technology has expanded the capacity of human reach in ways that was once unimaginable. Developments in areas of artificial intelligence, quantum computing, and the expansion of the internet, have revolutionized the way we all live. Despite the positives of these developments, there is an increasing trend of concerted assaults launched upon the unknowing and unwary who tentatively occupy the cyber world to their detriment.

In spite of all the benefits of AI, quantum computing and the internet’s expansion, the growing number of cyberattacks are causing considerable damage whose effects are being suffered through all levels of our society. Businesses, hospitals, schools, and even governmental entities that frequently maintain outdated, unsophisticated computer systems have all fallen victim to cyberattacks. It should not be surprising then that private sector retirement accounts are increasingly under attack and qualified plan sponsors are facing many questions and concerns. Given that federal law imposes a fiduciary duty and responsibility for the security of plan assets, what must they do as cybercriminals frequently place their hands into the figurative plan cookie jar?

In answering this question, it is important to first understand the contours of this duty. A fiduciary duty is the highest legal responsibility that arises between a fiduciary and a beneficiary, exposing the fiduciary with personal liability for any breach of that duty. The responsibility mandates that the fiduciary acts strictly in the best interests of beneficiaries, underscored by the duties of loyalty, care, and good faith. A breach of fiduciary duty can result in, among other things, legal action commenced by the beneficiary seeking compensatory and even punitive damages from the harm suffered on account of the breach. The possibility of recovering attorneys’ fees is also apparent through this legal action. Some examples of fiduciary relationships include the trustee-beneficiary relationship and the plan sponsor-plan participant relationship.

This fiduciary duty governing the plan sponsor-plan participant relationship first arose upon the enactment of the Employee Retirement Income Security Act of 1974 (ERISA). ERISA is a legal cocktail consisting of equal parts tax law, and labor law, predicated on implementing minimum standards of protection for all private sector qualified plans. Under this federal law, plan administrators, trustees and all others exercising discretionary authority over plan assets and benefit determinations are charged with the fiduciary duty to manage the plan and its assets in the exclusive interests of the participants. ERISA’s high legal standard of conduct, known as the “prudent man standard,” tasks plan sponsors with safeguarding employee benefits and accounts while minimizing potential losses. As such, a breach of this fiduciary duty can result in the fiduciary’s personal liability.

ERISA, however, was enacted in 1974 when cyberattacks were inconceivable given at that time, pension plans did not rely heavily on computer technology to manage plan administration and record keeping. As of 2018, according to the Employee Benefits Security Administration of the U.S. Department of Labor (DOL), approximately $9.3 trillion was held in trust for participants of private sector pension plans. The DOL is the federal agency charged with ERISA fiduciary duty oversight and enforcement. Moreover, the Federal Bureau of Investigation—in its 2021 Internet Crime Report—announced that approximately $6.9 billion was stolen through cyberattacks. Given the money at stake and the potential for financial ruin, plan participants demand that plan sponsors make them whole from losses suffered by cyberattacks. Consequently, such demands have increasingly resulted in expensive and protracted litigation for which the plan sponsors have no insurance.

For example, in Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive, the federal district court held that the participant’s ERISA breach of fiduciary duty claim would survive a defendant’s motion to dismiss. There, the plan participant was a victim of identity theft by which the perpetrator tricked the third-party service provider of the participant’s company sponsored-savings plan, to change her personal information (home address and PIN) on her pension account. Consequently, the perpetrator was able to steal the entirety of the $750,000 in the participant’s savings account by having the trustee-bank mail a check to an unrelated Las Vegas address. The participant sued the Employee Relations Committee of Colgate which served as the plan administrator, Alight Solutions who provided contract administration, and the Bank of New York Mellon who served as the plan’s trustee. All three defendants filed motions asking the court to dismiss the participant’s claim.

In assessing the motions to dismiss, the court began by noting that ERISA imposed fiduciary duties upon the Committee—the entity that is “ultimately responsible for protecting the plan’s assets.” Upon review of the plaintiff’s claims, the court denied the Employee Relations Committee’s motion on the grounds that “the information about the Committee’s monitoring is solely within the knowledge of the Committee” to which discovery could potentially bring pertinent information to light. The court noted, however, that the Committee is by no means “an insurer against any and every possible wrongdoing” and that “if it took reasonable steps to ensure that fraud and theft would be detected (which quite possibly includes by hiring a reputable contract administrator) it will not be deemed to have breached its fiduciary duty” even though money was ultimately stolen. The court similarly denied Alight’s motion but granted the bank’s.

In light of this and other similar cases, there has been increasing recognition that the fiduciary duties imposed under ERISA apply fully to cyberattacks targeting retirement accounts. As a result, plan sponsors and other fiduciaries face the risk of “being on the hook” for such losses.

These developments have left fiduciaries with uncertainty surrounding the extent of their duty to safeguard participant’s retirement assets, as well as the personal information stored in the files of the qualified plans. To address these concerns, the DOL in 2021 turned its attention to the threat that cybercrime poses for qualified plans by releasing guidance to assist fiduciaries in navigating a world where cyberattacks have become more and more commonplace, “U.S. Department of Labor Announces New Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record-Keepers, Plan Participants.”

Related: The MOVEit data breach: A wake-up call for all retirement plan sponsors

Under this guidance, the DOL outlines three forms in which prudent best practices can be taken to safeguard retirement plan accounts. First, plan sponsors are urged to enhance their selection criterion when choosing providers. Some of these measures include—but are not limited to—inquiring into the provider’s security standards and the metrics in which these policies are assessed. This review should include evaluating whether the provider has cyber insurance coverage in place in the event of cyberbreaches, and researching whether the provider has even experienced security breaches in the past, and if so, what countermeasures were subsequently taken. In essence, these recommendations place upon plan sponsors new expectations in exercising due diligence and prudence when selecting a service provider for their participants. In so doing, plan sponsors are encouraged to compare the numerous providers to ascertain which one best promotes cybersecurity practices.

The guidance additionally focuses on plan fiduciaries and record-keepers, recommending best practices to mitigate risk of cyberattacks. Some of these recommendations include conducting periodic risk assessments along with cybersecurity training for both management and employees, while implementing a clear internal structure of security roles and responsibilities. These measures are part of a well-maintained cybersecurity program, ensuring that data or other assets managed by third parties are routinely scrutinized by security reviews, and requiring that all sensitive data be encrypted.

Finally, the DOL outlines certain safeguards that plan participants themselves should adopt. Here, the DOL contemplates a symbiotic relationship to which plan sponsors assist the participant, and vice-versa. Such recommendations include consistently monitoring one’s account with a keen eye towards suspicious activity, creating complex passwords that deviate from routine passwords associated with other accounts, being on the constant lookout for phishing attacks, downloading the latest antivirus software on one’s computer, and avoiding logging into retirement accounts utilizing public Wi-Fi. In the event suspicious activity is noticed, the guidelines urge participants to contact their sponsors immediately.

It is important to note that the guidance offered by the DOL acts as a general rubric, containing default recommendations to help plan sponsors and participants better understand their joint responsibilities during these times of cyberpiracy and assault. No one should confine future actions exclusively to the guidelines, but rather go beyond the best practices contemplated by the DOL. These guidelines are in essence only a beginning, and not an end.

A world rife with cyberattacks has caused great uncertainty to fiduciaries, especially when personal liability is at stake. This uncertainty causes deep concern, but plan sponsors should be assured that mechanisms exist to bring much needed closure. The first step for affected parties is to comprehend the threats and to embrace the full array of countermeasures at their disposal. Through the implementation of prudent actions, coupled with vigilance and training, plan sponsors can take the necessary steps to defray unwanted liability.

Gary S. Young is a partner at Mandelbaum Barrett’s corporate, ERISA practice and employment law groups. Patrick A. DaSilva is a 3L at Seton Hall University School of Law and a current law clerk at Mandelbaum Barrett.