Retirement plans may have thousands of participants and billions of dollars in plan assets. Unfortunately, these large sums of money are attractive to bad actors who look to prey on unknowing victims by fraudulently accessing funds. Plan administrators, as fiduciaries of retirement plans, are wise to understand their legal obligations and best practices related to the security measures they must implement and maintain to protect these funds from cybercrimes.
Recent Cyber Attacks Against Retirement Plans
Earlier this year, in Bartnett v. Abbott Laboratories, et al. a retirement plan participant (Heide Bartnett) filed a lawsuit against her employer, Abbott Laboratories, the plan administrator, and the plan’s recordkeeper, Alight Solutions, LLC. According to the complaint, an individual impersonating the plaintiff attempted to access her retirement account by selecting the “forgot my password” prompt on the plan’s online recordkeeping platform. After requesting that a one-time security code be sent to the participant’s email account, which the impersonator had already improperly accessed, the impersonator gained access to the participant’s online retirement account and changed its password. Soon after, a new bank account was added to the participant’s retirement plan profile to which funds could be directly deposited from the participant’s retirement plan account. Two days later, the impersonator called Abbott’s service center to inquire about the transaction that he or she was (illegally) facilitating and was told that a distribution could not be made to the new bank account for seven days. Meanwhile, instead of attempting to contact the participant via phone or email (which was the plaintiff’s preferred method of communication), Abbott sent her a “snail mail” notice of the newly added bank account. By the time the participant received the notice, the impersonator had already looted her retirement account. Only a small fraction of the funds taken were recovered and the plaintiff filed a lawsuit seeking to recover $245,000, plus interest and other fees for the alleged breaches of fiduciary duty.
What Can Be Done To Stop Cybercrimes?
Although Abbott Laboratories is still a pending case, the plaintiff’s allegations are a stark reminder of the danger and risk that cybercriminals pose to retirement plans. Accordingly, plan administrators should ensure that the technical, physical, and administrative safeguards they have implemented to protect the confidentiality and integrity of plan assets satisfy basic legal requirements and meet industry security standards. Here are five areas that can serve as a starting point for a cybersecurity review in the retirement plan context:
First, plan fiduciaries should question the cybersecurity policies and procedures of their retirement plan recordkeepers and be aware of the liabilities they face for the shortcomings of their recordkeepers. Inquire about the recordkeeper’s cybersecurity capabilities and the safeguards in place to deter losses due to bad actors. In particular, inquire as to the access controls the recordkeeper has implemented to limit and verify access to an individual’s account. How are the controls created? How often are they tested? Have they ever been compromised, and if so how? What is the recordkeeper’s password policy for account access? Does the recordkeeper require multifactor authentication?
Second, identify whether the plan fiduciaries and the recordkeeper have an adequate level of cybersecurity insurance. It is also worth determining whether any existing insurance or fidelity bond coverage will provide financial relief in the case of a cybersecurity breach. If basic insurance coverage does not apply to forgery, consider a rider for additional coverage.
Third, request a copy of the recordkeeper’s data breach response plan and identify how often the recordkeeper undertakes table-top exercises or similar activities to test its response capabilities. It is important to identify where the plan sponsor aligns within the recordkeeper’s plan and even consider joint data breach-type exercises. If permitted, seek to identify any outside service providers and counsel that the recordkeeper has retained for such emergencies and ensure that they are qualified and capable to respond to data breaches upon a moment’s notice.
Fourth, require the recordkeeper to undergo third-party security and vulnerability testing so they can identify and remediate any aspect of their security program that presents a risk. It is especially important to ensure that high or critical risk vulnerabilities are resolved within hours or days (and not weeks or months). Accordingly, ensure that the recordkeeper has identified (in writing) an official who is fully responsible for the security of the plan’s assets. Accountability is a key aspect of any security program.
Fifth, educate plan participants. Let them know they can take an active role in protecting their own plan assets. As basic as it may seem, remind participants not to share their login or personal information with anyone. The allegations against Abbott Laboratories explain that an email account was compromised which allowed the bad actor to request authentication to the compromised email. Once the false authentication was made, the recordkeeper processed the request to have an additional bank account added. Savvy participants can help play an active role in the protection of their own account assets.
A Tough Road Ahead
Careful considerations by plan administrators have become especially important in light of the COVID-19 pandemic because there has been a steady increase in certain cyber-related crimes during this time. The recently enacted CARES Act provides many retirement plan participants with the opportunity to take large in-service distributions and loans, and such distributions and loans are ripe for the nefarious acts which were the basis for the Abbott Laboratories case. As a result, plan administrators need to stay vigilant and ahead of the curve when it comes to cybersecurity protections.