Cyberattacks Are on the Rise: Plan Sponsors, Is Your Retirement Plan Protected?

As cyberattacks become more and more commonplace, plan sponsors need to take steps to defray unwanted liability.

Developments in areas of artificial intelligence (AI), quantum computing, and the expansion of the Internet have revolutionized the way we all live. Despite the positive aspects of these developments, there is an increasing trend of concerted assaults launched upon the unknowing and unwary.

Today, cyberattacks are causing considerable damage, the effects of which are being suffered through all levels of our society. Businesses, hospitals, schools, and even governmental entities—which frequently maintain outdated, unsophisticated computer systems—have all fallen victim to cyberattacks. It should not be surprising, then, that private-sector retirement accounts are increasingly under attack and qualified plan sponsors are facing many questions and concerns. Given that federal law imposes a fiduciary duty and responsibility for the security of plan assets, what must they do as cybercriminals place their hands into the figurative cookie jar?

In answering this question, it is important to first understand the contours of this duty. A fiduciary duty is the highest legal responsibility that arises between a fiduciary and a beneficiary, exposing the fiduciary to personal liability for any breach of that duty. The responsibility mandates that the fiduciary act strictly in the best interests of beneficiaries, underscored by the duties of loyalty, care, and good faith. A breach of fiduciary duty can result in, among other things, legal action by a beneficiary seeking compensatory and even punitive damages from the harm suffered on account of the breach. The possibility of recovering attorneys’ fees is also apparent through this legal action. Some examples of fiduciary relationships include the trustee-beneficiary relationship and the plan sponsor–plan participant relationship.

This fiduciary duty governing the plan sponsor–plan participant relationship first arose upon the enactment of the Employee Retirement Income Security Act of 1974 (ERISA). ERISA is a legal cocktail consisting of equal parts tax law and labor law, predicated on implementing minimum standards of protection for all private-sector qualified plans. Under this federal law, plan administrators, trustees, and all others exercising discretionary authority over plan assets and benefit determinations are charged with the fiduciary duty to manage the plan and its assets in the exclusive interests of the participants. ERISA’s high legal standard of conduct, known as the “prudent man standard,” tasks plan sponsors with safeguarding employee benefits and accounts while minimizing potential losses. As such, a breach of this fiduciary duty can result in the fiduciary’s personal liability.

ERISA, however, was enacted in 1974. Cyberattacks were inconceivable at that time, since pension plans did not rely heavily on computer technology to manage plan administration and recordkeeping. As of 2018, according to the Employee Benefits Security Administration of the U.S. Department of Labor (DOL), approximately $9.3 trillion was held in trust for participants of private-sector pension plans. Moreover, the FBI, in its 2021 Internet Crime Report, announced that approximately $6.9 billion was stolen through cyberattacks. Given the money at stake and the potential for financial ruin, plan participants demand that plan sponsors make them whole from losses suffered by cyberattacks. Such demands have resulted in increasingly expensive and protracted litigation, for which plan sponsors have no insurance.

For example, in Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive, the federal district court held that the participant’s ERISA breach of fiduciary duty claim would survive a defendant’s motion to dismiss. There, the plan participant was a victim of identity theft by which the perpetrator tricked the third-party service provider of the participant’s company-sponsored savings plan to change her personal information (home address and PIN) on her pension account. Consequently, the perpetrator was able to steal the entirety of the $750,000 in the participant’s savings account by having the trustee bank mail a check to an unrelated Las Vegas address. The participant sued the Employee Relations Committee of Colgate, which served as the plan administrator; Alight Solutions, which provided contract administration; and BNY Mellon, which served as the plan’s trustee. All three defendants filed motions asking the court to dismiss the participant’s claim.

In assessing the motions to dismiss, the court began by noting that ERISA imposed fiduciary duties upon the Employee Relations Committee—the entity that is “ultimately responsible for protecting the plan’s assets.” Upon review of the plaintiff’s claims, the court denied the committee’s motion on the grounds that “the information about the committee’s monitoring is solely within the knowledge of the committee,” to which discovery could potentially bring pertinent information to light. The court noted, however, that the committee is by no means “an insurer against any and every possible wrongdoing” and that “if it took reasonable steps to ensure that fraud and theft would be detected (which quite possibly includes by hiring a reputable contract administrator), it will not be deemed to have breached its fiduciary duty,” even though money was ultimately stolen. The court similarly denied Alight’s motion but granted the bank’s.

In light of this and other similar cases, there has been increasing recognition that the fiduciary duties imposed under ERISA apply fully to cyberattacks targeting retirement accounts. As a result, plan sponsors and other fiduciaries face the risk of being “on the hook” for such losses.

These developments have left fiduciaries with uncertainty surrounding the extent of their duty to safeguard participants’ retirement assets, as well as the personal information stored in the files of the qualified plans. To address these concerns, the DOL in 2021 turned its attention to the threat that cybercrime poses for qualified plans by releasing guidance to assist fiduciaries in navigating a world where cyberattacks have become more and more commonplace.

Under this guidance, the DOL outlines three forms in which prudent best practices can be taken to safeguard retirement plan accounts. First, plan sponsors are urged to enhance their selection criteria when choosing providers. Some of these measures include—but are not limited to—inquiring into the provider’s security standards and the metrics by which these policies are assessed. This review should include evaluating whether the provider has cyberinsurance coverage in place in the event of a breach and researching whether the provider has ever experienced security breaches in the past—and, if so, what countermeasures were subsequently taken. In essence, these recommendations place upon plan sponsors new expectations in exercising due diligence and prudence when selecting a service provider for their participants. In so doing, plan sponsors are encouraged to compare the numerous providers to ascertain which one best promotes cybersecurity practices.

The guidance additionally focuses on plan fiduciaries and recordkeepers, recommending best practices to mitigate risk of cyberattacks. Some of these recommendations include conducting periodic risk assessments along with cybersecurity training for both management and employees while implementing a clear internal structure of security roles and responsibilities. These measures are part of a well-maintained cybersecurity program, ensuring that data or other assets managed by third parties are routinely scrutinized by security reviews and requiring that all sensitive data be encrypted.

Finally, the DOL outlines certain safeguards that plan participants themselves should adopt. Here, the DOL contemplates a symbiotic relationship in which plan sponsors assist the participant and vice versa. Such recommendations include consistently monitoring one’s account with a keen eye toward suspicious activity, creating complex passwords that deviate from routine passwords associated with other accounts, being constantly on the lookout for phishing attacks, downloading the latest antivirus software on one’s computer, and avoiding logging into retirement accounts utilizing public Wi-Fi. In the event that suspicious activity is noticed, the guidelines urge participants to contact their sponsors immediately.

It is important to note that the guidance offered by the DOL acts as a general rubric, containing default recommendations to help plan sponsors and participants better understand their joint responsibilities during these times of cyberpiracy and assault. No one should confine future actions exclusively to the guidelines. Instead, they should go beyond the best practices contemplated by the DOL. These guidelines are, in essence, only a beginning and not an end.

A world rife with cyberattacks has caused great uncertainty to fiduciaries, especially when personal liability is at stake. This uncertainty causes deep concern, but plan sponsors should be assured that mechanisms exist to bring much-needed closure. The first step for affected parties is to comprehend the threats and to embrace the full array of countermeasures at their disposal. Through the implementation of prudent actions, coupled with vigilance and training, plan sponsors can take the necessary steps to defray unwanted liability.


Gary S. Young is a partner at Mandelbaum Barrett’s corporate, ERISA practice, and employment law groups. Patrick A. DaSilva is a 3L at Seton Hall University School of Law and a current law clerk at Mandelbaum Barrett.



From: BenefitsPRO