In 2018, Forbes ran a personal finance article for investors called “Can your 401(k) be hacked?” That’s only one of many mainstream media articles published last year that focused on the possibility of a cyber-attack on your retirement savings plan. It makes sense that many consider the employer-sponsored retirement plan to be the “next” entity to fall victim to a cyber-attack. Recall the Target breach where credit cardholders’ personal information was compromised? Estimates showed the theft involved over 70 million retail customer accounts. And the Equifax breach — which included Social Security Numbers and other personally identifiable information — doubled that amount of affected consumers. Experts fear that the risks a cyber security breach of a retirement plan or its provider could prove more detrimental than past breaches because of the direct tie between personally identifiable information and a retirement plan’s assets. Congress thinks so too. In February 2019, Senator Patty Murray, D-Washington, and Congressman Bobby Scott, D-Virginia, sent a letter to the U.S. Government Accountability Office (GAO), requesting that the GAO examine the cybersecurity of the retirement system.
In addition to the obvious account number or user password, personally identifiable information that should be protected includes names, addresses, Social Security Numbers, ages, salaries and account balances. All of this data has individual value — and such value is only increased when data sets are matched with each other. If stolen and later sold or used, the exploitable opportunities are nearly endless, including drained retirement accounts and identity theft. The stakes are very high.
What makes the prospect of a retirement plan cyber breach unique and so potentially difficult to prevent is the fact that multiple parties are responsible for such protection. Consider this: an employer plan sponsor offers a 401(k) plan to its employees where the plan itself is a legal entity and the investment assets are held in trust. This means that you have fiduciaries, such as plan trustees, investment advisors, and third-party record-keepers all with potential access to personally identifiable information. When you factor in administrators and HR departments on the employer plan sponsor side, as well as the plan participants, you end up with a throng of parties with legitimate access to an individual’s account and identifiable data. Whose job is it to ensure that all of these entities are working to protect the private information of a 401(k) plan participant? And how can investors know that those they trust with their retirement savings are working together to protect access to these monies? Great questions; let’s begin to explore the answers by first defining the legal nature of personally identifiable information.
The ERISA Advisory Council defines personally identifiable information (or “PII”) as data which can be used to distinguish or trace an individual’s identity, such as names, Social Security Numbers, addresses, account information, dates of birth, mother’s maiden name, etc., alone, or when combined with other identifiable information. As if protecting this information wasn’t difficult enough, the added element of risk comes in the form of what might be considered a fiduciary liability.
ERISA imposes a “prudent expert” standard of care on retirement plan fiduciaries. A prudent expert acts with the care, skill and diligence that the circumstances call for a person of like character to use. Fiduciaries also owe a duty of loyalty to a plan’s participants. This duty is carried out by a fiduciary acting in the sole interest of plan participants and beneficiaries for the exclusive purpose of providing benefits under the plan to those participants and beneficiaries. The million dollar question: Does the protection of PII fall under the duties of a fiduciary and require ERISA’s standard of care?
To answer a question like this, we have to seek to draw the correlation between PII and a fiduciary’s duty to provide benefits. That link lies in what is considered to be a plan asset. ERISA states that plan assets must be held in trust by one or more trustees, who are considered to be fiduciaries of the plan. Obviously, with regard to monetary plan assets — all the participants’ monies contributed to the plan, for instance — a fiduciary must take prudent steps to safeguard them from theft no matter how that theft occurs. A failure to act in a prudent manner which results in a loss is a breach of that fiduciary duty. Protecting against a cyber-attack that could lead to the theft of plan monies is certainly something for which a plan fiduciary is responsible. Even without a definitive statement from the U.S. Department of Labor (DOL), the conservative approach, backed by recent case law, has been to treat plan participant data as being a plan asset. This means that plan fiduciaries should follow the appropriate prudent expert standard of care to minimize their own risk of liability.
Unlike HIPAA privacy and security rules that apply to health care data, ERISA does not mandate a written cybersecurity policy or dictate how plans should safeguard financial information. Because there is no one-size-fits-all approach, plan sponsors and fiduciaries must act prudently. The DOL has addressed the fact that plan administrators need to “take appropriate measures to protect the confidentiality of personal information relating to an individual’s accounts and benefits,” yet has not provided specific guidance as to how that should be done. Absent federal regulation, the ERISA Advisory Council recommended that the DOL begin communicating to the employee benefits industry, as well as plan sponsors and participants, cybersecurity risks and potential approaches for managing those risks.
Complete cybersecurity stems from a three-way partnership between plan sponsors, providers and participants. Everything begins, however, with the plan sponsor. Plan sponsors can take a number of steps to help increase plan security and reduce associated risks:
Increase participant login security
It’s important to provide education to participants to help raise awareness of the importance of protecting personally identifiable information and creating complex login passwords. Plan sponsors can also insist on providers using multi-faceted authentication techniques to ensure the user is who they purport to be.
Hold service providers accountable
Third-party administrators, recordkeepers, investment advisors and hired fiduciaries are all examples of providers with which retirement plans contract to provide services. These providers will have various levels of access to plan data and can be a potential source of a breach. The ERISA Advisory Council recommends that plans put forth a series of questions before entering into a contractual relationship and continuously evaluating the security precautions taken by provider partners throughout their association. Some examples of suggested questions to ask service providers include:
Many providers will issue a letter of comfort or other documentation explaining in detail how they encrypt data and safeguard against breaches. Plan sponsors and fiduciaries will be wise to seek out specifics in such service provider documentation and push the provider to back up their security claims with a participant guarantee or contractual remedy.
Consider insurance options
When considering the role that insurance will play in your cyber risk management strategy, a plan sponsor must first determine what it’s seeking to protect and guard against. It is not uncommon for other types of business insurance, such as errors and omissions (E&O), commercial liability, directors and officers (D&O) liability and crime and fraud coverage, to offer some kind of cyber risk protection, but many of these more general policies fall short. As a result, you should consider insurance that is specifically tailored to the risks as they pertain to your retirement plan.
There are two main types of such insurance coverage, cyber liability and fiduciary liability:
Because all liability insurance is complicated and often far from intuitive in terms of what a policy protects, we recommend plan sponsors and fiduciaries meet with experienced business insurance consultants to make sure their policies mesh with each other to offer complete protection and meet the prudent protection standards ERISA requires.
Recall that Congressional letter to the GAO? Of the ten specific questions posed to the Government Accountability Office, half focused on what current laws and regulators are doing to address these risks and educate plan sponsors, fiduciaries and participants. In other words, mandatory compliance is on the horizon. Conventional wisdom is that it’s not so much a matter “if” but a matter of “when” a 401(k) plan will be the target of a cyber-attack. Plan sponsors and fiduciaries should first focus their efforts on developing a cyber breach prevention strategy to minimize risk and protect the plan’s assets, then focus on having a response and recovery plan in place in the event of a breach.
Bret works with HR professionals to ensure they have a clear understanding of the rules governing all aspects of human resources. He works with employers to maintain compliance of health and wellness benefit packages under state and federal guidelines, including taxation and healthcare reform.
Bret works with HR professionals to ensure they have a clear understanding of the rules governing all aspects of human resources. He works with employers to maintain compliance of health and wellness benefit packages under state and federal guidelines, including rules of taxation and healthcare reform. Bret holds a bachelor of science in economics from the University of Kentucky and a law degree from the University of Pittsburgh, School of Law.
With massive data breaches at organizations such as Target, Dairy Queen, and JPMorgan, businesses are becoming more aware of the threat of hackers and external threats to their data. And while it’s important to protect yourself from such exposures, history has shown that the real enemy lies within our own companies. Don’t believe it?
What should you do to prevent a cyber attack and what should you do if it happens to your business?
One of the most valuable lessons is simply a greater awareness and respect for this type of threat. Many business owners and executives do know fully understand the risk or have the it won't-happen-to-me syndrome. As a result, they don’t do enough to prevent cyber crimes. Businesses should establish a disaster recovery plan so they are prepared if they do experience a significant loss — and, if still necessary, protect themselves with insurance coverage.
Send a Message
Find a Location