With cybersecurity threats getting increasingly sophisticated and costly, plan sponsors can no longer afford to wait to address the threats to their retirement plans.
In a Dec. 16 webinar by the Plan Sponsor Council of America, Daniel Aronowitz, Managing Principal with Euclid Fiduciary, and David Levine, Principal at the Groom Law Group, walked webinar participants through the different types of cyberattacks, as well as recent regulatory, legal and industry developments and how plan sponsors can protect themselves.
In today’s current environment, it’s not a matter of if, but when, a plan will come under attack, because most benefit plans and service providers now rely on technology to expedite transactions that used to occur only on paper, the two panelists explained. Moreover, plans have an extensive amount of information and data that malicious actors want, including personal and financial data that is valuable on the dark web, they noted.
“It’s important to remember that there’s an ecosystem here of how a plan operates and you, as the employer and plan sponsor, have a big role. When we talk about security, it not only relates to your vendors, but it relates to what you do internally with all your personnel,” Levine observed.
According to Aronowitz, the most common types of threats are:
- ransomware that includes extortion demands and holding data for ransom;
- business email compromise, such as social engineering and phishing schemes; and
- wire and retirement fraud involving fake invoice schemes and unauthorized loans and withdrawals.
“For years, I think it was hidden because I think the recordkeepers did a good job of just handling it, but now you’re seeing more fake invoice schemes, unauthorized loans and withdrawals. And a lot of them are going into the portal to the recordkeeper where someone tries to set up a new account or a new loan,” Aronowitz noted.
And in the case of ransomware where someone attempts to place malicious software on your system and hold your data in exchange for payment, even if the data does not get out, it still will cost the plan a lot of money just to figure out forensically what happened, he added.
Moreover, with respect to 401(k) plans, ransomware can create quite a challenge, Levine noted. For example, the Department of Labor and IRS require deposits of contributions within a certain timeframe, but if your system is locked, it makes it difficult to deposit the contributions until you get the issue straightened out. The good news, according to Levine, is that “recordkeepers have backup systems, and they oftentimes will have relationships with the other vendors to backup data and secure archives.”
Business email compromise can also create extensive challenges, whereby an email account becomes compromised, and criminals send an email message that appears to come from a known source making a legitimate request to reveal confidential information or to carry out a certain request, such as a plan distribution, Aronowitz explained.
Levine added that with the recent guidance from the DOL allowing electronic delivery to be the default for plan communications, it will be important to be mindful of the threats. “If you start doing electronic delivery and your business email gets compromised, or even your personal one, you run into the issue that someone can log into your account and verify items—that takes down a lot of protections,” he explained.
Moreover, if you’re the person responsible for authorizing transfers to fund 401(k) contributions, for instance, and you get compromised, that’s a challenge because you could find yourself in a situation where your company was supposed to fund something and did not. “Truthfully, the Department of Labor won’t care. If the money is not there, they are going to be blame you for it,” Levine warned.
Turning to legal obligations, Levine explained that ERISA does not have specific language or provisions addressing cybersecurity, but the statute does impose a broad range of fiduciary duties on plan fiduciaries. And legal claims relating to cybersecurity, he noted, are often based on the core concepts of prudence and loyalty.
In questioning whether cybersecurity is an ERISA fiduciary duty and who has responsibility for it, Levine explained that oftentimes nobody will say cybersecurity is owned by one person, but in the end, “the buck probably stops with your committee.” The pertinent legal claims are: was it prudent, was it loyal, was it a prohibited transaction in relation to what you did, how you handled data or selected a vendor, who handled data, and whether you had a process in place, he observed, adding that the reality is that “it’s a Whack-a-Mole game at this point.”
Moreover, in April 2021, the DOL issued its first formal cybersecurity guidance for plan sponsors in the form of best practices, including in handling plan service providers. While that guidance is not necessarily binding, the DOL is going to treat it like it is, Levine emphasized. As part of its best practice guidance, the DOL offered tips for hiring service providers with strong cybersecurity practices, including:
- ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions;
- ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded; and
- find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
One of the key takeaways, he noted, is that the DOL’s view is that cybersecurity is a core plan fiduciary responsibility, and you have a duty to mitigate cybersecurity risk. In fact, DOL’s cybersecurity guidance is operating in tandem with its enforcement activities where cybersecurity has become part of its normal investigation process.
“We see this as standard table stakes, as every DOL investigation is now asking about cybersecurity. And we think if you proved you have a prudent process, then you will have done your job. It’s about a process and you need to demonstrate your process,” added Aronowitz.
As for what can be done to redirect risk, Aronowitz described the four pillars of cybersecurity, which he explains are now required in order to apply for cyber insurance coverage:
- multi-factor authentication;
- data backups;
- email security to minimize bad emails getting through; and
- endpoint protection and response to monitor what comes into your system.
Emphasizing the importance of obtaining cyber insurance coverage, Levine and Aronowitz explained that there are various types to protect against breaches, and it’s important to understand what the various policies cover and whether there are limits on liability. For instance, they explained, cyber liability insurance provides the most comprehensive protection for data breaches and claims from participants and other third parties. Fiduciary liability insurance may cover cyber liability if a loss results from a fiduciary breach or error in administration, but it will not cover a plan’s notification responsibilities or forensic and remediation expenses. In addition, they noted, cyber crime policies are available.
Aronowitz suggested that it might be best to purchase all three types of coverage from the same carrier. Why? “Because if you have a breach, you don’t want bunch of finger pointing by the carriers, where you have your crime carrier saying it’s the cyber carrier’s and the cyber carrier saying it’s a breach of fiduciary duty. If you have all your coverage from one carrier, you just don’t have an issue—it’s the carrier’s problem.”