Search Our Website:
menu
BACK TO INSIGHTS
BIPC Logo
ARTICLES & ADVISORIES
JAN 21 2025

Protecting ERISA Retirement Plans From Cyber Threats: How To Mitigate Losses and Personal Liability

Over the past fifteen years, global business markets entered a new paradigm where identity theft, ransomware, email compromises, and data breaches are becoming more frequent, sophisticated, and costly. Billions of financial data records have been exposed or stolen, and billions more will follow. Cybercriminals are thriving in vulnerable sectors that are target-rich but cybersecurity-poor.  

In the U.S., the 42 trillion dollars held in plans governed by the Employee Retirement Income Security Act (ERISA) depend not only on the investment performance of their assets but also on the integrity of the security systems of asset custodians and information technology (IT) departments and vendors who guard plan data and plan operations. Historically, retirement plan fiduciaries took appropriate measures to ensure retirement funds were available to pay promised benefits to participants. In today’s cyber-active world, fiduciaries must also take adequate measures to protect personal financial information and underlying IT systems from malicious cyber actors seeking to steal valuable assets, personal financial data, and other confidential information.

The interests at stake, based on the number of participants in ERISA plans and the concentration of wealth contained in those plans, are enormous. The trillions in ERISA plans are a primary source of income security for millions of Americans. Despite these stakes, long before the ubiquity of computers, ERISA’s 1974 enactment only explicitly protected plan assets in private company plans; ERISA does not address whether data is a plan asset that requires protection. In this vacuum, recent Department of Labor (DOL) guidance recognized the importance of protecting plan assets and financial information from cyber threats. Failure to safeguard plan assets can result in costly litigation for corporate plan sponsors and plan fiduciaries derived from allegations of breach of the fiduciary duties of prudence and loyalty. Even without fully litigating the dispute, in today’s online/social media world, mere allegations of corporate malfeasance concerning plan assets could be equally as costly. Fiduciaries hold significant control over the safety and integrity of a plan’s assets; compliance with ERISA fiduciary duties requires shielding plan assets from cyber threats.  Recommended plan management should mean taking action to protect personal financial data maintained at the plan level from cyber criminals. If plan fiduciaries fail to comply with strict ERISA duties regarding a plan’s assets, they can be found personally liable for breaches of their fiduciary obligations. Whether a company’s fiduciary insurance or cyber insurance policies will defend and provide insurance coverage for the plan fiduciaries for this type of claim will first depend on whether the company has even purchased these types of insurance policies for the ERISA Plan and if so, whether the coverage is sufficient to cover plan losses.

Already reported in ERISA class action lawsuits alleging fiduciary breaches for failure to safeguard plan assets are cases with allegations of failure to protect confidential personal financial information. Safeguarding the sensitive personal financial data contained in ERISA accounts from cyber threats presents a unique challenge.  No federal statute specifically addresses cybersecurity protection of electronic records.

There are several proactive measures fiduciaries should take to fulfill their duties and protect plan assets and personal financial data:

  1. Conduct Regular Risk Assessments: Fiduciaries should routinely evaluate cybersecurity risks that can impact plan participants’ information. For large ERISA recordkeepers and custodians, this includes all IT systems “corresponding” with such data/information. Examples of such evaluations include performing system vulnerability scans, penetration testing, reviewing network and data access controls to ensure only authorized personnel can access sensitive information, and conducting annual third-party security system audits.
  2. Engage With Service Providers: Many retirement plans rely on third-party service providers. Plan sponsors should thoroughly vet and partner only with service providers that adhere to stringent cybersecurity standards. Contracts should outline the provider’s data protection protocols and include breach notifications and liability terms.  Remember, fiduciaries can be held liable not only for failing to protect information but for failing to monitor third parties. 
  3. Implement Multi-Factor Authentication (MFA): One of the simplest and most effective ways to enhance data security is to require MFA to access sensitive data. This includes MFA for participant access to individual accounts and for any entity, whether fiduciary or not, to access plan-wide data. This ensures access to financial data is more secure and less susceptible to unauthorized access.
  4. Adopt Data Encryption Practices: Data at rest and in transit should be encrypted to prevent unauthorized access. Fiduciaries should ensure their systems employ the latest encryption technology and that service providers and partners follow similar practices, as there are often logical connections between networks.
  5. Training and Awareness Programs: Employees, participants, fiduciaries, and anyone accessing an IT system holding retirement information should receive ongoing training on identifying protected data and securing it, cybersecurity best practices, avoiding ‘phishing’ messages, and other security risks.
  6. Develop a Breach Response Plan: Fiduciaries should have a comprehensive cyber incident response plan developed by organizational stakeholders and exercised regularly.  There is no defense to a breach that compares to knowing what to do in the event of a breach. A cyber incident response plan should include notifying affected participants (including making notifications in the absence of normal work communications), working with internal and external cybersecurity experts, and correcting system weaknesses that led to the breach.

Best Practices for Plan Sponsors to Ensure Fiduciary Compliance

To enhance fiduciary protection of retirement plan data, plan sponsors should ensure their fiduciaries follow appropriate cybersecurity standards recommended by the Department of Labor (DOL) and retirement industry experts:

  1. DOL Guidance: The DOL provides guidance on cybersecurity best practices for retirement plans. Fiduciaries should be familiar with these guidelines, including robust security protocols, strong access controls, and regular monitoring of data security measures.  If they do not follow these guidelines, they should use other standards commonly accepted by organizations in the retirement industry.
  2. Cybersecurity Risk Management: Fiduciaries should develop comprehensive cybersecurity programs that align with risk management standards. This includes performing third-party cybersecurity audits and benchmarking cybersecurity practices against appropriate standards.
  3. Vendor Management: Contracts with third-party vendors handling sensitive data should include clearly defined security obligations, service-level agreements regarding data protection, incident response protocols, and identify consequences for failure to adhere to obligations.  Determine if the service provider is cross-marketing the data of participants, which puts it at additional risk of cyber theft.
  4. Regular Plan Reviews: Sponsors should encourage fiduciaries to regularly review and update their cybersecurity protocols to keep up with evolving threats. This should include updating firewalls, strengthening access controls, and regularly testing cybersecurity measures.
  5. Periodic Training Sessions: Plan participants should be trained regularly on cybersecurity threats and measures to mitigate risks for themselves and others. A well-informed first line of defense is less likely to fall prey to phishing attempts, social engineering, and other cyberattacks.

Fiduciaries have a legal and ethical responsibility to ensure retirement assets are well-protected from the rising tide of cyber threats. If they fail in this duty, they can be held personally liable for plan losses. By adhering to robust cybersecurity practices, conducting regular risk assessments, and following DOL-recommended guidelines, fiduciaries can shield plan participants from identity theft, hacking, and data breaches. Retirement plan participants should engage their fiduciaries and demand transparency, vigilance, and robust measures to protect the plan participants’ assets from cybersecurity breaches and theft. 

With enhanced cybersecurity measures, including taking proactive steps to ensure the safety and integrity of plan participant’s hard-earned assets in an increasingly digital world, plan fiduciaries can mitigate the risk of personal liability.


JOIN US FOR A CLE WEBINAR

Securing Retirement: Proactive Cybersecurity Strategies for Plan Sponsors and ERISA Fiduciaries 

Thursday, January 30, 2025
12:00 p.m. – 1:00 p.m. EST
Register Now

Please join Buchanan attorneys Candace Quinn and Kurt Sanger, and guest speaker, Berkshire Hathaway Specialty Insurance Senior Complex Claims Director Camille Cribaro-Mello, Esq., for a CLE webinar addressing the critical importance of cybersecurity in managing ERISA retirement plans. This webinar will provide strategies to protect you from risk of personal liability and protect plans from losses. It will also explore the responsibilities of ERISA fiduciaries and potential for personal liability, including to what extent fiduciary liability insurance may offset cybersecurity risk.

Corporate plan sponsors and ERISA retirement plan fiduciaries can mitigate risk of potential planned losses and costly litigation by working with ERISA and Cybersecurity counsel to take proactive steps to protect plan assets and participants' sensitive financial data from cybersecurity threats. Attendees will learn best practices for enhancing cybersecurity and addressing vendor management from increased cyber threats.

The session will highlight the responsibility of ERISA fiduciaries to undertake strong cybersecurity measures, ensuring the safety and integrity of employees’ hard-earned assets in a digital landscape. Participants will gain actionable insights to safeguard their retirement plans against potential cybersecurity breaches and thefts.


Continuing Legal Education (CLE) credit (1.0 general credit) is approved for California, New Jersey, New York, Pennsylvania and West Virginia. Credit for all other states is available upon request pending approval.

Contributors
Related Services & Industries