Cyberattacks have made their way into the U.S. retirement system.
While we may have hoped that employer-sponsored retirement plans would escape the types of cyberattacks plaguing financial service providers and dominating headlines, service providers to employee benefit plans have experienced a substantial increase in cyberattacks over the past few years. One plan record keeper noted the number of these attacks have more than doubled since 2016.
Cybersecurity threats present new risks for fiduciaries of employer-sponsored retirement plans, as well as for advisers and other providers who serve them. However, these risks can be mitigated, and advisers and other plan service providers can add real value to client relationships by helping their clients navigate these risks.
While all cyberattacks involve criminal activity, they can vary in terms of technical sophistication and financial impact. Some attacks only seek to steal personal, confidential information, while others aim to steal money from a plan.
Here are some of the most common cyberattacks:
• "Malware" is software used to gain illicit access or control over a computer network. A notorious type of malware is "ransomware," which purports to lock a computer and its files until a ransom is paid.
• "Phishing" is an attack in which individuals are tricked into providing their log-in credentials, often by following a hyperlink sent to them through a fake but official-sounding email.
• Fraud encompasses stealing retirement plan assets or data through deception and misrepresentations. A person might call a plan record keeper's call center, falsely claiming to be a participant, and request a distribution.
These types of attacks frequently build on and follow each other. For example, an attacker might gain access to a record keeper's participant database as a result of a phishing attack sent to an employee of the record keeper. Then, participants' personal data could be leveraged in an attempt to obtain a distribution of their plan accounts.
No government oversight
While there is no central law governing the cybersecurity of retirement plans, there are several sources of potential liability that could result from failure to maintain adequate procedures to protect plan data and assets.
First, the Employee Retirement Income Security Act of 1974 requires fiduciaries to exercise prudence with regard to the administration of employee retirement and health plans. To the extent fiduciaries do not maintain prudent procedures to mitigate cybersecurity risks and an incident occurs, they may be held liable for a breach of fiduciary duty.
Second, myriad state privacy laws may apply, and state administrative agencies may undertake enforcement actions against companies that are subjects of cybersecurity incidents.
Third, advisers and other service providers whose plan assets or data are stolen may be subject to contractual liability for failing to take commercially reasonable precautions.
If a cyber incident can be traced to a specific service provider, the service provider may be expected to make the plan whole for losses suffered by the plan and its participants. Among the expenses the service provider could be exposed to:
• Costs to uncover the extent of the breach and to recover damaged data.
• Reimbursement of stolen assets.
• Identity-theft protection and monitoring costs for plan participants.
Although it is not possible to completely eliminate cyberbreaches, advisers, plan service providers and plan fiduciaries should establish a prudent process for understanding and managing risks.
It is becoming more common for plan fiduciaries to ask potential plan providers about their cybersecurity policies and procedures as part of the request for proposal process. Therefore, advisers and other service providers that have cybersecurity policies and procedures in place and can help a plan develop or refine its own may have a competitive advantage in the marketplace.
The content of such policies and procedures will depend on each enterprise's individual circumstances, but high points to touch on include:
• Taking inventory of where participant and other confidential data is stored and who has access to it.
• Strategies to prevent a cybersecurity incident, which may include training for employees and plan officials; a "data diet," limiting access to only those who need it; and maintaining up-to-date software and hardware, including encryption and firewalls.
• Regular monitoring to determine vulnerabilities and detect whether an intrusion occurred.
• Steps to be taken to address an incident should one occur, including determining the scope of the problem, notifying plan participants and enacting corrective measures.
Advisers and plan service providers may want to consider purchasing cybersecurity insurance. Traditional fiduciary liability or errors and omissions insurance may not provide the necessary coverage, or may limit coverage until a legal claim is made.
Stephen M. Saxon is a partner at Groom Law Group