Retirement plans see rise in cyberattacks

Retirement plans see rise in cyberattacks
Threats pose new risks for fiduciaries of employer-sponsored plans.
SEP 01, 2018
Cyberattacks have made their way into the U.S. retirement system. While we may have hoped that employer-sponsored retirement plans would escape the types of cyberattacks plaguing financial service providers and dominating headlines, service providers to employee benefit plans have experienced a substantial increase in cyberattacks over the past few years. One plan record keeper noted the number of these attacks have more than doubled since 2016. Cybersecurity threats present new risks for fiduciaries of employer-sponsored retirement plans, as well as for advisers and other providers who serve them. However, these risks can be mitigated, and advisers and other plan service providers can add real value to client relationships by helping their clients navigate these risks. While all cyberattacks involve criminal activity, they can vary in terms of technical sophistication and financial impact. Some attacks only seek to steal personal, confidential information, while others aim to steal money from a plan. Here are some of the most common cyberattacks: • "Malware" is software used to gain illicit access or control over a computer network. A notorious type of malware is "ransomware," which purports to lock a computer and its files until a ransom is paid. • "Phishing" is an attack in which individuals are tricked into providing their log-in credentials, often by following a hyperlink sent to them through a fake but official-sounding email. • Fraud encompasses stealing retirement plan assets or data through deception and misrepresentations. A person might call a plan record keeper's call center, falsely claiming to be a participant, and request a distribution. These types of attacks frequently build on and follow each other. For example, an attacker might gain access to a record keeper's participant database as a result of a phishing attack sent to an employee of the record keeper. Then, participants' personal data could be leveraged in an attempt to obtain a distribution of their plan accounts.

No government oversight

While there is no central law governing the cybersecurity of retirement plans, there are several sources of potential liability that could result from failure to maintain adequate procedures to protect plan data and assets. First, the Employee Retirement Income Security Act of 1974 requires fiduciaries to exercise prudence with regard to the administration of employee retirement and health plans. To the extent fiduciaries do not maintain prudent procedures to mitigate cybersecurity risks and an incident occurs, they may be held liable for a breach of fiduciary duty. Second, myriad state privacy laws may apply, and state administrative agencies may undertake enforcement actions against companies that are subjects of cybersecurity incidents. Third, advisers and other service providers whose plan assets or data are stolen may be subject to contractual liability for failing to take commercially reasonable precautions. If a cyber incident can be traced to a specific service provider, the service provider may be expected to make the plan whole for losses suffered by the plan and its participants. Among the expenses the service provider could be exposed to: • Costs to uncover the extent of the breach and to recover damaged data. • Reimbursement of stolen assets. • Identity-theft protection and monitoring costs for plan participants. Although it is not possible to completely eliminate cyberbreaches, advisers, plan service providers and plan fiduciaries should establish a prudent process for understanding and managing risks. It is becoming more common for plan fiduciaries to ask potential plan providers about their cybersecurity policies and procedures as part of the request for proposal process. Therefore, advisers and other service providers that have cybersecurity policies and procedures in place and can help a plan develop or refine its own may have a competitive advantage in the marketplace. The content of such policies and procedures will depend on each enterprise's individual circumstances, but high points to touch on include: • Taking inventory of where participant and other confidential data is stored and who has access to it. • Strategies to prevent a cybersecurity incident, which may include training for employees and plan officials; a "data diet," limiting access to only those who need it; and maintaining up-to-date software and hardware, including encryption and firewalls. • Regular monitoring to determine vulnerabilities and detect whether an intrusion occurred. • Steps to be taken to address an incident should one occur, including determining the scope of the problem, notifying plan participants and enacting corrective measures. Advisers and plan service providers may want to consider purchasing cybersecurity insurance. Traditional fiduciary liability or errors and omissions insurance may not provide the necessary coverage, or may limit coverage until a legal claim is made. Stephen M. Saxon is a partner at Groom Law Group

Latest News

LPL building out alts, banking services to chase wirehouse advisors, new CEO says
LPL building out alts, banking services to chase wirehouse advisors, new CEO says

New chief executive Rich Steinmeier replaced Dan Arnold on October 1.

Franklin Templeton CEO vows to "do what's right" amid record outflows
Franklin Templeton CEO vows to "do what's right" amid record outflows

The global firm is navigating a crisis of confidence as an SEC and DOJ probe into its Western Asset Management business sparked a historic $37B exodus.

For asset managers, easy experience is key to winning advisors' businesses
For asset managers, easy experience is key to winning advisors' businesses

Beyond returns, asset managers have to elevate their relationship with digital applications and a multichannel strategy, says JD Power.

Why retaining HNW clients ultimately comes down to one basic thing
Why retaining HNW clients ultimately comes down to one basic thing

New survey finds varied levels of loyalty to advisors by generation.

Stocks drop as investors digest Microsoft, Meta earnings
Stocks drop as investors digest Microsoft, Meta earnings

Busy day for results, key data give markets concerns.

SPONSORED Out with the old and in with the new: a 50% private markets portfolio

A great man died recently, but this did not make headlines. In fact, it barely even made the news. Maybe it’s because many have already mourned the departure of his greatest legacy: the 60/40 portfolio.

SPONSORED Destiny Wealth Partners: RIA Team of the Year shares keys to success

Discover the award-winning strategies behind Destiny Wealth Partners' client-centric approach.