Managing Cybersecurity Risk to 401(k) Plans
Personal data and financial assets are top targets for today’s cybercriminals, but many advisors lack sufficient cybersecurity protections to meet legal requirements and protect 401(k) plan participants.
Cybercrime often impacts a client’s personal information as well as their financial assets. As a 401(k) plan fiduciary, failure to take the proper cybersecurity precautions could expose you to liability, so it’s important to manage the cybersecurity risk to 401(k) plans.
Knowing Your Fiduciary Duty
While clear guidance specific to cybersecurity is yet to be determined, the obligation to fiduciary duty is well known. Federal pension law requires 401(k) plan fiduciaries to exercise care, skill, prudence and diligence, and act in the best interest of plan participants. Without a plan, fiduciaries may share in the liability of a hack or unauthorized distribution.
Understanding Shared Obligations
Typically, several plan fiduciaries share discretionary authority over plan administration and investments. Yet these entities also share obligations to the cybersecurity of plan participants’ assets and data. Courts have found that delegating responsibilities does not remove such obligations.
- In Leventhal v. MandMarblestone Group, LLC (E.D. Pa. May 1, 2019), both the plan sponsor and record-keeping service provider were found to share liability to restore accounts after breaches.
- In Berman v. Estee Lauder, Inc. (N.D. Cal. Oct. 9, 2019), a plan sponsor, record-keeper and custodian all had to defend their cybersecurity practices in the face of a participant account’s unauthorized distributions.
In any claim or suit, all plan fiduciaries can expect to defend their cybersecurity practices.
Recognizing Liability Risks
For a plan fiduciary, the risk posed by a cybersecurity breach is high. In the event of a breach,
you may be held liable to make the plan whole, notifying participants of the breach and providing identity theft protection. You could also be held liable for a co-fiduciary contribution for money stolen from participant accounts. To reduce the risk, plan fiduciaries must work closely with each other to ensure that systems and procedures are in place to protect participant data and assets.
Preparing for Plan Audits
It’s common for 401(k) plan auditors to ask about cybersecurity practices, so all plan fiduciaries should be prepared. It’s not only important to have proper systems and procedures in place, it’s also important they be documented in any audits. Make sure the auditor knows about the cybersecurity policy, controls and protections you and other plan fiduciaries maintain. With the proper security in place and documented, you help lower your liability risk.
Adopting a Cybersecurity Policy
To satisfy the requirements of fiduciary duty, it’s important plan fiduciaries adopt a formal cybersecurity policy. Key areas to address include:
- Data management
- Technology management
- Service provider management
- Personnel training and management
Your cybersecurity policy should consider systems and procedures to protect plan participants’ personal information and financial assets during:
- Establishment of a plan and due diligence
- Maintenance and management of the plan
- Discovery of a breach or fraud
- Recovery from a cybersecurity incident
With the adoption of a policy, advisors can reduce the likelihood of common cybersecurity threats such as ransomware, malware, phishing emails and wire transfer fraud. The ERISA Advisory Council offers more guidance in the 2016 report, “Cybersecurity Considerations for Benefit Plans.”
Taking Action to Minimize Cybersecurity Risk to 410(k) Plans
With the level of danger posed by cybersecurity threats, it’s important for all plan fiduciaries to take action to minimize risks. Make sure you and other plan fiduciaries secure sensitive data in addition to your existing internal controls over financial reporting.
Understand that reducing risk involves developing a management strategy to work together with partners to ensure security. Familiarize yourself with common risks and adopt policies and procedures to prevent breaches and fraud. Finally, make sure you are protected with adequate levels of Errors and Omissions coverage.
While other industry groups and associations offer Errors and Omissions Liability Insurance policies with shared aggregate limits, Lockton Affinity Advisor offers coverage with individual limits, so that you will always have access to your full policy limits.
Plus, Lockton Affinity Advisor coverage meets ERISA standards, including services as an ERISA 3(21) and 3(38) advisor.