Many 401(k) plan sponsors mistakenly believe that when they delegate responsibilities to a record-keeping service provider, they have no liability for cybersecurity breaches. One recent case [Leventhal v. MandMarblestone Group, LLC (E.D. Pa. May 1, 2019)], however, held that both the plan sponsor and plan service provider have a shared liability to restore participant accounts after cybersecurity breaches.
Last year, a plan participant sued the sponsor, the record-keeper, and the custodian for data breaches [Berman v. Estee Lauder, Inc. (N.D. Cal. Oct. 9, 2019)]. The sponsor and its service providers were required to defend their cybersecurity practices in connection with three separate unauthorized distributions from the participant’s 401(k) plan account.
Cybercriminals have become increasingly sophisticated when targeting organizations holding significant assets and personal data. As a result, complaints have been filed and case law is developing that should motivate plan sponsors to satisfy their fiduciary duty to enact prudent procedures and safeguards to protect plan assets and plan data.
All 401(k) plan fiduciaries have an obligation to secure and keep private the personally identifiable information of plan participants. Although plan sponsors delegate cybersecurity responsibility to recordkeepers, they have a fiduciary duty to ensure that recordkeepers maintain a cybersecurity program. Plan sponsors can be liable if a claimant establishes that they failed to maintain a prudent process to safeguard plan assets and plan data.
The Department of Labor has not issued specific guidance on the action plan fiduciaries should implement to manage cybersecurity risk, nor is there a clear regulatory scheme governing the protection of personally identifiable information in retirement plans. Nevertheless, federal pension law requires plan fiduciaries to discharge their duties with care, skill, prudence, and diligence under the circumstances, as well as to act in the best interest of plan participants. Accordingly, plan fiduciaries need to monitor cyber-security with the same intensity as they monitor recordkeeping fees and fund performance.
A plan sponsor may be liable for a co-fiduciary contribution for money stolen from a participant’s account as a result of a cybersecurity breach. A plan sponsor that failed to follow a prudent process to safeguard plan assets and plan data may be held liable to make the plan whole, send notifications to participants of the breach or fraud, and provide participants with enhanced identity theft protection. Plan sponsors must make certain that their plan’s recordkeeper has systems and procedures in place that will protect against cybersecurity breaches and verify participant identities.
Employee benefit plan auditors routinely ask questions related to cybersecurity as a part of their systems document questionnaire. Plan auditors must know whether a plan sponsor maintains a cybersecurity policy, has programs and controls in place, and understands how service providers store and protect participant data.
Plan sponsors must adopt a cybersecurity policy and conduct recordkeeper due diligence to satisfy their fiduciary duty to secure and keep private participants’ personally identifiable information. Plan sponsors or their advisors must secure cybersecurity program representations from their recordkeeper that confirm the existence of a cybersecurity framework to protect confidentiality, secure participant information, and guard against unauthorized access. They need to have a proper understanding of the potential cyber threats and gain knowledge of their recordkeeper’s risk management strategy.
The process should include an examination of the recordkeeper’s independent audit of the internal controls relating to the service organization’s technology system and recordkeeper practices.
Plan sponsors need to know whether their recordkeepers conduct periodic risk assessments to identify cybersecurity threats, maintain procedures for advanced authentication, maintain processes to notify plan sponsors of recordkeeping system breaches, carry cybersecurity insurance, and offer a cyber guarantee.
The ERISA Advisory Council examined privacy and security issues affecting employee benefit plans, outlined cyber risk management strategies and encouraged plan sponsors to broaden their cybersecurity focus to include their employee benefit plans. The council issued a report, “Cybersecurity Considerations for Benefit Plans” (November 2016), which identified seven prudent data security practices, including third-party risk management, and set forth questions regarding service provider data protection.
Cybersecurity Capability Verification
Plan sponsors need to secure sensitive data and therefore evaluate the cybersecurity protocol of their service providers. Accordingly, plan committees need to ask for information relating to their service provider’s security procedures, whether they hold an industry-recognized cybersecurity certification, and the results of an auditor’s test of controls and results.
Nevertheless, many plan sponsors using service providers that have received a System and Organization Controls 1 (SOC 1) report identifying no cybersecurity issues mistakenly believe that they have little or no cybersecurity risk. The SOC 1 report addresses internal controls over financial reporting—not broader-entity cybersecurity controls and risk. A SOC 2 report addresses controls and risks relating to cybersecurity and to the service organization’s ability to maintain the confidentiality and privacy of information processed in its system.
Plan sponsors should develop a cybersecurity reporting framework through which service organizations communicate about their cybersecurity risk management programs in order to determine cybersecurity readiness. They need to ask appropriate questions, conduct due diligence, evaluate service provider risk management programs, determine potential risks, and take action necessary to protect plan assets and plan data.
Plan sponsors must adopt a cybersecurity policy and conduct recordkeeper due diligence to satisfy their fiduciary duty to secure and keep private participants’ personally indentifiable information.
Retirement committees may consider engaging an advisor, attorney, or consultant to establish stated control objectives, prepare cybersecurity policy, obtain plan service provider representations, assess third-party cyber risk, recommend action items, and document the process.
By addressing cybersecurity risks, plan sponsors and retirement committees fulfill their fiduciary obligation to guard against cyber attacks, limit their monetary exposure, avoid reputational risk, and protect plan participants.