COLLECTED WISDOM™ on Cybersecurity Risks and LiabilitiesThis is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries. This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic. If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Keeping Participant Data Safe: Duty BoundCybersecurity is essential for protecting retirement plans and participant data, as emphasized by industry experts Bonnie Treichel from Empower Retirement and Matt Johnson from Alpha Guard during a webinar hosted by Broadridge titled "Retirement Plan Cybersecurity: Keeping Your Participant Data Safe." They highlighted that prioritizing cybersecurity is not only wise and prudent but also a critical duty for organizations. Source: Asppa-net.org, December 2024
The DOL Expanded Cybersecurity Guidance: What ERISA Plan Sponsors and Fiduciaries Need to KnowOn September 6, 2024, the U.S. Department of Labor released Compliance Assistance Release No. 2024-01, titled "Cybersecurity Guidance Update." This updated guidance clarifies that DOL's cybersecurity protocols apply to all ERISA-covered plans, including health and welfare plans, not just retirement plans. In response to service provider concerns, the DOL emphasized the need for plan sponsors, fiduciaries, recordkeepers, and participants to implement strong cybersecurity practices across all employee benefit plans. The update underscores the importance of robust security measures to safeguard participant information and plan assets amid evolving cyber risks. Source: Beneficiallyyours.com, November 2024
UC Schools Report Fraudulent Activity in Fidelity Retirement AccountsThe University of California reported fraudulent activity related to Fidelity retirement accounts, revealing unauthorized transactions and breaches of account security. An internal investigation uncovered multiple instances of fraud, leading the university to implement stronger security measures. Affected individuals have been advised to closely monitor their accounts for suspicious activity. Fidelity is cooperating with the investigation to improve security and prevent future incidents. Source: Planadviser.com, October 2024
A Guide to Buying and Maintaining CyberinsurancePlan sponsors should understand that their fiduciary liability policy is not a substitute for cyber insurance. The cyber insurance market is intricate. Some product sellers are more knowledgeable than others, and some have access to more potential markets. Cyber insurance is not standardized, so sponsors need basic knowledge to evaluate insurance options and policy details properly. Source: Plansponsor.com, October 2024
Insider Threats: Are Disgruntled Employees a Cybersecurity Risk?Most plan sponsors' cybersecurity concerns are that outside hackers will attempt to get access to their systems, but disgruntled employees can also pose a threat. Internal threats account for about 20% of security threats, according to the Verizon 2022 Data Breach Investigations Report, making them rarer than outsider cybersecurity hacks. Still, certain employees, such as those in human resources, information technology, or treasury, may have access to plan information or other personally identifiable information. There are, however, ways to prevent or limit potential damage caused by disgruntled employees. Source: Plansponsor.com, October 2024
Plan Security Relies on Vetting 3rd-Party ProvidersRetirement plan recordkeepers' increasing reliance on third-party vendors for various administrative services and tools poses a challenge for plan sponsors who need to vet these vendors, especially as many have been exposed to cybersecurity breaches in the past year. To protect participant data and personal information, plan sponsors should be aware of the subcontractors with which their recordkeepers work, of which have access to participant data, and of how to respond to a breach when one occurs. Source: Plansponsor.com, October 2024
Six Steps to Help Participants Safeguard DC AssetsIn the second quarter of this year, there were 877,536 phishing attacks, according to a report by the Anti-Phishing Working Group, a not-for-profit coalition of cybercrime experts. Meanwhile, Cofense, an email security firm, notes that hackers often use times such as open enrollment and 401k updates to hack into participants' accounts. Justin Greis and Charlie Lewis, partners in consultancy McKinsey & Co., say that "no single control is a silver bullet to protect savers from becoming victims." However, they do provide six steps that fiduciaries can share with participants to help protect them from harm. Source: Planadviser.com, September 2024
Cyber Risk and Cybersecurity for Retirement Plan SponsorsThe digital nature of retirement plan administration makes plans tempting targets for cybercriminals. From phishing attacks to account takeovers, plan participants, recordkeepers, and sponsors are at risk of significant financial losses and brand damage. In this article, learn more about cyber risk management for retirement plans. Source: Captrust.com, September 2024
EBSA Updates Cybersecurity Guidance for Plan Sponsors and FiduciariesFollowing a 2022 recommendation from its ERISA Advisory Council, the DOL on Sept. 6 issued a new Compliance Assistance Release that provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. The release updates the DOL's 2021 guidance. Source: 401kspecialistmag.com, September 2024
DOL Updates Cybersecurity GuidanceThe DOL updated its cybersecurity guidance confirming that it applies to all types of plans governed by the ERISA. The new Compliance Assistance Release provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. Assistant Secretary for Employee Benefits Security Lisa M. Gomez said "These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information." Source: Dol.gov, September 2024
Cybersecurity Best Practices for Retirement PlansArtificial intelligence deepfakes, including fraudulent correspondence, voice impersonations, and videos are hitting financial institutions and their customers. There is no single solution for managing these threats, especially as AI-based methods continue to evolve. However, plan advisers and their sponsor clients can implement cybersecurity plans that will help keep the bad guys at bay. In this article, experts discuss how plan fiduciaries can stay up to speed. Source: Planadviser.com, September 2024
Keys to Guarding Retirement Plan Data Against Human ErrorAs the digital age evolves, so too do the risks that threaten the security of employer-sponsored retirement plans and their data. Human error within organizations poses a significant risk, as hackers are adept at taking advantage of these vulnerabilities. Understanding and mitigating these risks is therefore crucial for plan sponsors, recordkeepers, and participants alike. Source: Planadviser.com, September 2024
Merrill Data Bungle Hits Walmart 401k PlanMerrill Lynch is the latest broker-dealer to report a snafu in handling client private data, with the Maine Attorney General's office last week disclosing that Merrill, as the recordkeeper for Walmart's 401k plan, revealed private client information to an "unauthorized recipient" having nothing to do with the plan. Source: Investmentnews.com, June 2024
Why Retirement Plan Sponsors and Fiduciaries Need to Know about the SEC Cybersecurity AmendmentsOn May 15, 2024, the SEC adopted amendments to Regulation S-P which governs the treatment of nonpublic personal information about consumers by certain financial institutions, many of which are commonly vendors and service providers to retirement plans. When assessing the cybersecurity of a retirement plan service provider that is a financial institution, plan fiduciaries may want to be aware of these SEC requirements as part of their assessment process. Source: Workplaceprivacyreport.com, May 2024
Merrill Cyber Leak Exposes Walmart 401k ParticipantsOver a thousand participants in the Walmart 401k Retirement Plan were exposed to a data breach by recordkeeping provider Merrill Lynch, after an employee accidentally revealed private information that included names and Social Security numbers to an unauthorized user. The data breach impacted 1,883 Walmart employees who were enrolled in the company's 401k Retirement Plan. Source: 401kspecialistmag.com, May 2024
J.P. Morgan Sued for Data ExposureA participant in a retirement plan managed by J.P. Morgan Chase & Co. has initiated legal action against the company following recent reports of a data breach where over 451,000 plan participants' details were exposed. According to the lawsuit filed in the U.S. District Court for the Southern District of New York on May 3, former Long Island Railroad employee Benjamin Valentine's personal information -- which he entrusted with J.P. Morgan on the mutual understanding that the firm would protect it against disclosure -- was "targeted, compromised and unlawfully accessed due to the data breach." Source: Planadviser.com, May 2024
A Cybersecurity Audit Survival Kit: What Plan Sponsors Must Do to PassSince issuing its first cybersecurity guidance in 2021, the DOL has laid out what it expects plan sponsors to do. The work requirement to follow all the DOL's cybersecurity guidance is substantial. Many organizations don't have the resources to comply fully, or they don't feel an urgency to put their resources toward it, but it appears that cybersecurity will be part of all DOL retirement plan audits. Six experts spoke with NAPA Net about what they think the DOL will expect from plan sponsors with their cybersecurity policies and procedures. Source: Napa-net.org, May 2024
How Should a Plan Sponsor Respond to a Data Breach?The data breach incident that took place at J.P. Morgan Chase in February, impacting more than 451,000 plan participants, serves as an opportunity for plan sponsors to reflect on their cybersecurity practices and consider what action they would take if they found themselves in a similar situation. If you were a plan sponsor, who, for example, uses J.P. Morgan as its recordkeeper, and is notified of a breach in which participant information has been exposed, what should their plan of action be? Source: Plansponsor.com, May 2024
Retirement Plan Access and Fraud Prevention ConsiderationsAs a significant investment for many Americans, retirement plan assets are an attractive target for cyber hackers globally. Plan participants need to take common-sense measures to safeguard their accounts. Plan sponsors face the dual challenge of providing online access to participants' retirement plans while keeping their information secure. Implementing and maintaining a proactive cybersecurity strategy is key for both parties. Here are a few items to consider. Source: Spconsultants.com, April 2024
Plaintiffs Request Judge Approve Settlement in ERISA Data Breach LawsuitRetirement plan participants whose personal identifiable information was exposed in a 2021 data breach have asked a Georgia federal judge to approve an $8.733 million agreement to resolve allegations, which claimed national consultant Horizon Actuarial Services LLC failed to safeguard their sensitive data. Source: Plansponsor.com, March 2024
Is Your Plan Cyber-Secure? Fiduciaries and Vendors Face Ongoing ChallengesNo steps will ever provide 100% protection against breaches, but in this article, attorney Carol Buckmann discusses the state of the law, court cases in which participants have sued to get stolen benefits restored, and practical steps that can be taken by the company's fiduciaries to better protect participants and lower the risk of loss. Source: Cohenbuckmann.com, March 2024
401k World: Cyber ThievesWith a quick Google search, anyone can get a sense of the massive amount of money in workplace retirement plans and individual retirement accounts. What may be less known, but not too hard to figure out for hackers, is that retirement plans' unique business model creates multiple potential openings for breaches, according to experts. This article delves into cybersecurity threats to retirement plan assets and the industry's approach to combatting them. Source: Planadviser.com, March 2024
ERISA Fiduciary Concerns Relating to Cybersecurity: Theft of Plan AssetsSince a cyber breach is not a matter of "if," but a matter of "when," fiduciaries of retirement plans should be addressing this risk. This 4-page article discusses the DOL's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries. Source: Foxrothschild.com, January 2024
Canadian Plan Sponsors More Vigilant of Cybersecurity Risks When Dealing With Third-Party Vendors: ExpertData management and transference are key areas of risk for pension plan sponsors as the vulnerability of engaging with third parties creates opportunities for cybercriminals, says Jillian Kennedy, a partner at Mercer. According to an online brief published last year by Ernst & Young, third-party service providers hired by public pension plan sponsors tend to be desirable targets of cybercriminals. Vulnerabilities can be found in plan sponsors' websites and member portals, said the report, noting investment organizations are also at risk due to the handling of investment operations conducted by its staff. Source: Benefitscanada.com, January 2024
ERISA Fiduciary Concerns Relating to Cybersecurity: Part I -- Theft of Plan AssetsSince a cyber breach is not a matter of if it will occur, but a matter of when, fiduciaries of retirement plans should be addressing this risk. This article discusses the Department of Labor's authority over cybercrimes, litigation involving cyber theft of participants' accounts, and risk mitigation techniques for plan fiduciaries. Source: Plusblog.org, December 2023
Retirement Plans and Cybersecurity: Insights for Plan SponsorsWith the increased regulatory focus and greater awareness of cyber vulnerabilities within the retirement plan industry, plan sponsors are looking for ways to meet their fiduciary responsibility in mitigating retirement plan cybersecurity risk. This article covers a few of the currently available ways in which sponsors can address the risk. Source: Berrydunn.com, December 2023
Cybersecurity Triggers a New Paradigm in Vendor MonitoringData breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised personally identifiable information or personal health information. A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers. Source: Rolandcriss.com, October 2023
How to Stay Safe From Evolving Cybersecurity ThreatsTo minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission's new cybersecurity rules, should adopt prevention measures against threats, and should be prepared to respond if an attack happens, experts say. Source: Planadviser.com, October 2023
The Future Is Now for ERISA Fiduciary Duties Around Plan DataERISA needs to catch up with the information age by identifying plan data as a plan asset, resolving the current ambiguity on that point that has led courts to decide otherwise, and developing the related fiduciary duties, argues Michael Schloss of The Wagner Law Group. Source: Wagnerlawgroup.com, October 2023
What's at Risk in a Cyberattack on a DC Plan?Every organization working with a defined contribution plan shares the responsibility for protecting from cyberattack the data, reputation, trust, and $10.2 trillion of accumulated assets in retirement plans. Safeguarding DC plans from digital security issues does not end with ensuring criminals do not steal workers' nest eggs, explains Gregg Levinson, senior director for retirement at WTW. Source: Plansponsor.com, October 2023
Protect Against a Retirement Plan Cybersecurity Breach or Else: DOLEarle Allen, Principal with CAPTRUST, asked former EBSA Assistant Secretary Preston Rutledge for an idea of what to expect from a DOL cybersecurity audit and how far plan sponsors and advisors should go in preventative measures. Here is the response. Source: Napa-net.org, October 2023
MOVEit Cyberattack Ignites Worry About Fiduciary ResponsibilityIf there's one big takeaway for plan sponsors following the massive MOVEit cyberattack that breached the personal data of millions of participants in public pension and private-sector workplace retirement plans, it's this: They may need to rewrite their vendor contracts and redouble their monitoring of service providers. While no sponsors have yet been sued, it's not far-fetched to think that they could be, according to legal experts. Source: Pionline.com, August 2023
New York Life Clients Latest Victims of Massive MOVEit Data BreachAlmost 26,000 New York Life customers had their names and Social Security numbers exposed to a data breach, the latest in a massive hack that affected hundreds of companies and millions of Americans. The hack occurred in late May and involved Progress Software, the provider of MOVEit transfer software. MOVEit is used to transfer client data securely. Source: Napa-net.org, August 2023
Moveit Hack Brings Vendor Assessment to ForefrontRetirement plan providers and advisers should be taking a close look at vendor cybersecurity protocols after a software transfer hack exposed the private data of millions of people, including retirement plan participants, according to industry experts. SPARK Institute members guide how advisers can both prepare for and respond to participant data concerns stemming from the nationwide breach. Source: Planadviser.com, July 2023
Data Breach Impacts Nearly 172,000 Tennessee RetireesThe Tennessee Consolidated Retirement System notified retirees and beneficiaries that their names, Social Security numbers, dates of birth, and mailing addresses had been compromised. Source: 401kspecialistmag.com, July 2023
Multiple Cyber Incidents Impact Employee Benefit Plans and ParticipantsIf a retirement plan has a business relationship with any service provider that uses, used, or may have used the MOVEit software application or RCH services, the plan should determine what fields or categories of personal information were shared with the service provider(s), and by extension MOVEit or RCH, to determine the impact on the plan and its participants. Any service agreements with the applicable vendors should also be reviewed concerning data breach notification, information reporting, and follow-up obligations of the service provider(s). Source: Beneficiallyyours.com, July 2023
DOL Provides Cybersecurity Tips For Plan Sponsors, ParticipantsIf it wasn't already clear to plan sponsors and retirement plan advisers, Employee Benefits and Security Administration head Lisa Gomez reiterated this week the importance of cybersecurity and increased protection for participants in a new post providing eight areas for guidance. In her blog post on the Department of Labor website, Gomez laid out various tips plan sponsors and advisers can convey to participants for keeping their information safe. Source: Plansponsor.com, July 2023
Are Your Clients Insured Against Cyber Threats?Experts share tips for how plan sponsors can protect themselves from the increasing threat of cybersecurity attacks and evolving litigation. Source: Planadviser.com, June 2023
Plan Committees Need Consistent Focus on CybersecurityRetirement plans are a target today because that is where so much wealth is held by American savers. Therefore it is crucial for retirement plan committees -- and their advisers -- to engage in cybersecurity discussion and reviews as an ongoing part of their work. Source: Planadviser.com, June 2023
CalPERS Cybersecurity Breach Affects 769,000 MembersA major cybersecurity breach involves one of the world's largest pension funds. CalPERS announced last week that approximately 769,000 retired members and their families had personal information exposed in a "worldwide data security incident" that impacted one of its contracted third-party vendors, PBI Research Services/Berwyn Group. Source: Napa-net.org, June 2023
Participant Data Breach Hits Retirement ClearinghouseRetirement Clearinghouse LLC, an industry leader in driving forward the automatic portability of retirement plans, has alerted more than 10,500 individuals that their data, including individual retirement account numbers, may have been compromised. The organization alerted individuals with written notice, dated May 12, that their information may be at risk for fraud, according to public filings in the states where they are located. Source: Plansponsor.com, May 2023
Plan Sponsors Should 'Definitely' Have Cyber Liability Insurance: Lisa GomezAt PSCA National just last week, ARA CEO Brian Graff and EBSA Assistant Secretary Lisa M. Gomez discussed a wide range of topics, including the many misunderstandings about cyber liability insurance (which could be a huge fiduciary failure) and the ESG rule. Source: Napa-net.org, May 2023
401k Participant Drops Data Breach Suit Against TransamericaA retirement plan participant has dropped a lawsuit filed against Transamerica Retirement Solutions alleging that the retirement plan provider failed to exercise reasonable care in securing and safeguarding personally identifiable information, including names, addresses, Social Security numbers, and retirement fund contribution amounts. Source: Planadviser.com, March 2023
Who's Liable When a Plan Participant Is a Victim of Identity TheftBecause of the scarcity of case law and regulatory guidance on the issues, any case that analyzes the liability of ERISA plan sponsors and service providers following a cybersecurity incident and/or identity theft will be heavily scrutinized. A recent opinion in the Southern District of New York has widened the scope of liability for potential ERISA defendants in actions seeking to recover fraudulent distributions from ERISA-covered plans. It has also made new legal determinations that, if followed by other courts, will have an impact on future suits by plan participants seeking to recover lost retirement plan money. Source: Wagnerlawgroup.com, February 2023
Responding to a Cyberterrorist AttackIt is a growing club that no one wants to join: the club of companies that became victims of cyberterrorism. Whether the release of credit card data from the infamous Target inside job, the gas pipeline shutdown at Colonial Pipeline, or the more recent CNA Financial ransom attack, it is often not a question of "if" a company will be attacked, but "when." Recently, a major software provider to third-party administrators joined this horrible club. The question addressed here is "What should we do about this issue?" Source: Ntsa-net.org, January 2023
Cybersecurity: Retirement Plan Sponsors Can Protect ThemselvesThe digital world has opened many doors, including theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. This article reviews how plan sponsors can protect themselves and their participants while meeting fiduciary obligations. Source: Captrust.com, January 2023
The Colgate Participant Account Cyber Theft Case Survives DismissalA New York federal district court ruled on December 19, 2022, that a participant in the Colgate-Palmolive defined contribution plan adequately alleged breach of fiduciary duty claims against the plan recordkeeper and the plan fiduciary committee. It is a curious decision that is worth studying to understand whether plan participants have potentially viable claims against the plan recordkeeper and plan fiduciaries when a participant's account is hacked. Source: Euclidspecialty.com, December 2022
More Hackers Going After Retirement Savings, Experts SayEmployer retirement accounts are facing increasingly sophisticated attacks by hackers looking to get a slice of worker savings, and cryptocurrency investing is particularly at risk for scams, according to two financial-focused cybersecurity experts. Source: Planadviser.com, December 2022
SPARK Releases Updated Data Security Best PracticesThe SPARK Institute released Monday its Plan Sponsor and Advisor Guide to Cybersecurity, laying out its specific data security "Best Practices and seventeen Control Objectives." Developed by its Data Security Oversight Board, SPARK's best practices and control objectives establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity control objectives. Source: Planadviser.com, November 2022
SPARK Institute Releases Updated Cybersecurity Standards for Plan Sponsors and AdvisorsRecordkeepers and retirement industry consultants are banding together to beef up cybersecurity. A collaborative effort between recordkeepers and consultants leads to updated Data Security Best Practices and a new Plan Sponsor and Advisor Guide to Cybersecurity to strengthen the retirement industry's defenses against cyber criminals. Source: 401kspecialistmag.com, November 2022
Cybersecurity: Insights and Action StepsCybercriminals are creative and resourceful and they're not just after bank accounts. Industry experts in a recent webinar cautioned that retirement plans are in their sights as well. This article outlines some concrete steps that can be taken to address and protect retirement plans against cybercrime. Source: Ntsa-net.org, October 2022
Cybersecurity Breach Suits Raise Questions About Liability for Benefits PlansCybersecurity breaches concerning workers' personal information and retirement savings have increased liability risks for benefit plans and third-party administrators under federal benefits laws. In February 2021, the GAO issued a report warning about these increased legal risks for ERISA plan fiduciaries due to cyber breaches. The GAO also warned that outsourcing various functions involving retirement plans to third-party administrators could increase the potential for unauthorized access to participants' information. In recent years, the GAO's warnings have become a reality. Source: Hallbenefitslaw.com, October 2022
Is It Time for ERISA to Be Amended to Cover Cyber Crimes?It is no surprise that cyberattacks are a grave concern for sponsors of retirement plans. Under ERISA fiduciaries and persons handling funds must be bonded to protect against fraud and dishonesty. This article discusses this required ERISA bond and the interplay of other types of insurance coverage and concludes with a recommendation that Congress amend ERISA to require insurance to address cyber crimes. Source: Foxrothschild.com, October 2022
Common Myths of Cyber Insurance for Employee Benefit PlansCyber insurance is a critical component of the cyber security risk management program necessary to protect employee benefit plans and participant retirement assets. But the current way plan fiduciaries seek cyber and crime coverage needs to change and this article explains why. Source: Euclidspecialty.com, October 2022
In Cybersecurity Enforcement Action, Seventh Circuit Rejects Service Provider's Challenges to DOL SubpoenaIn an enforcement action involving an administrative subpoena seeking documents from a service provider for employer-sponsored health and retirement plans, the Seventh Circuit held that the DOL's investigatory authority under ERISA is not limited to ERISA plan fiduciaries. The Seventh Circuit also concluded that the subpoena was not too indefinite or unduly burdensome. Source: Westlaw.com, October 2022 401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC. | |||
About
| Glossary
| Privacy Policy
| Terms of Use
| Contact Us
|