5 Steps to Reduce 401(k) Plan Litigation Risk 

In uncertain times, a few simple actions can improve fiduciary processes and reduce your plan’s litigation risk.

Market volatility in recent months has left many retirement plan participants scrutinizing their 401(k) account balances, particularly as economic conditions trigger layoffs and force employers to suspend matching and non-elective contributions. At the same time, recent years have seen an increase in 401(k) plan litigation related to plan investments, fees, and recordkeeping practices. In uncertain times, a few simple actions can improve fiduciary processes and reduce your plan’s litigation risk.

1. Review cybersecurity practices and contractual protections.

As the world has shifted to remote work in light of the Covid-19 pandemic, cybersecurity risks have increased significantly. Workers have been victims of data breaches, videoconference interruptions, and email phishing schemes.

Given the large amounts of money held in 401(k) accounts and the increasing reliance on online platforms to manage them, 401(k) and similar plan accounts are prime targets for two types of cyber attacks: (1) theft of sensitive participant data, which could ultimately lead to identity theft, and (2) theft of participant retirement funds, through fraudulent online transactions. Plan fiduciaries should take action now to guard electronic access to both monetary assets and sensitive participant data.

One of the most effective ways to manage this risk is to educate participants. Many breaches arise from shared or simple passwords, and participants often ignore enhanced security protections such as dual authentication to access accounts. Plan fiduciaries should keep participants informed about the evolving features that recordkeepers have available to help protect their accounts.

Additionally, it is important to remind participants to periodically monitor their accounts so that they are able to mitigate any damage in the event their information is compromised. Similarly, plan fiduciaries should review the employer’s internal practices for handling participant data and account information.

Plan sponsors should also reach out to their service providers to understand the steps they are taking to protect participant data and account balances. It also may help to dust off old service agreements and review their cybersecurity provisions, including the service provider’s obligation to maintain security software, liability and obligations for breaches, the ways in which participant data may be used, rights to audit service provider practices, and the ability to revisit and renegotiate as risks and best practices evolve.

2. Review and update plan governance structure.

Who is responsible for selecting 401(k) investment options? Who makes plan administration decisions? Over time, practices can drift inadvertently from the authority outlined in plan documents or other plan governance materials. Many plan documents simply provide that the plan sponsor is responsible for these fiduciary functions, without clearly specifying a responsible party.

If your plan document is silent on how this authority is distributed, now is the time to prepare written documentation clearly stating how fiduciary authority is divided and may be delegated.  For example, plan sponsors may wish to have a designated committee acknowledge and accept responsibility for selecting investments.

Similarly, it may be helpful to have a dedicated committee or employee in the benefits or HR department who is clearly responsible for plan administration. Documenting a plan’s governance structure ensures that plan fiduciaries take their roles seriously, helps minimize the number of individuals at the employer who may be drawn into litigation, and can help secure a preferential standard of review for benefit claim decisions in plan litigation.

3. Educate plan fiduciaries.

Employee Retirement Income Security Act (ERISA) plan fiduciaries, including plan administrators and investment fiduciaries, have a tough job: The ERISA fiduciary duty landscape has been called “the highest known to the law” (see Donovan v. Bierwith, 680 F. 2d 263 (2d Cir.  1982)). To that end, it is important to periodically educate plan fiduciaries on their responsibilities, evolving case law, and best practices.

Most investment advisers and ERISA legal counsel can provide training at minimal cost, and will cover key areas such as the scope of ERISA fiduciary duties, identifying fiduciaries, monitoring delegates and service providers, self-dealing, and plan governance provisions.

Fiduciary trainings may also cover ERISA hot topics in more detail, such administering participant claims, cybersecurity, and fiduciary safe harbors for participant-directed accounts. These education sessions remind fiduciaries of the importance of taking their obligations seriously and help them focus on ways to minimize risk. In the event of plan litigation, or even a Department of Labor audit, routine and periodic trainings demonstrate the plan fiduciary’s procedural prudence.

4. Focus on process.

When it comes to selecting plan investments, the process a plan sponsor follows in evaluating, selecting, and monitoring investments is as important as actual performance. This means preparing an investment policy statement outlining plan investment objectives and factors for how investments will be chosen, evaluated, and replaced.

An investment policy statement may also address the selection and monitoring of investment service providers, advisers, and managers. The investment fiduciary should periodically hold (at least twice per year) meetings in which it reviews the investment options, including fees, performance relative to benchmarks, and default investment funds.  All deliberations and decisions should be documented in meeting minutes.

It is also important for plan fiduciaries to have a process for monitoring plan service providers and the fees they are charging. Plan fiduciaries should meet periodically to discuss service provider performance and should regularly evaluate whether the fees they are charging are reasonable. This can be done through a full-blown request for proposals (RFP) or by obtaining informal fee benchmarks.

5. Limit time to bring claims.

ERISA requires that plan participants exhaust a plan’s claims procedures before bringing a lawsuit to enforce their ERISA rights. Many plan claims procedures also impose a limit on the time in which a participant can bring suit after a final appeal has been denied. Various courts have upheld these plan-specified limitation periods, as long as the limitation period is reasonable.

Deadlines ranging from 90 days to 3 years have been held reasonable, though most 401(k) plans impose a limitation period of one year following the final denial of an appeal. Any such limitation should be clearly communicated to plan participants in the summary plan description and communications (including claim and appeal denial letters).

Preventing disruption and plan losses can keep participant retirement savings on track and save plan sponsors from the difficulties of litigation. In an era of increased uncertainty, these five steps will help streamline plan governance while managing 401(k) litigation risk.


Brenna Clark is a partner at Eversheds Sutherland and focuses her practice on a range of employee benefits and compensation matters. She advises clients with respect to the design, implementation, and compliance of qualified and nonqualified retirement plans, executive compensation arrangements, fringe benefits, and other benefit programs.

Brittany Edwards-Franklin is an associate at Eversheds Sutherland who counsels clients on a range of employee benefits matters, including qualified retirement plans, nonqualified deferred compensation, and executive compensation.