Noting that there has been an increase in computer crime in connection with the economic disruption caused by COVID-19, companies should remember that retirement plan accounts are attractive targets for cyber thieves because of the often larger account balances relative to ordinary financial accounts, the infrequency of checking on accounts by many of their owners, and the potential for some account owners to rely on the plan sponsor and record-keeper to provide security.
ERISA fiduciaries generally are subject to the prudent expert standard of care, and they owe a duty of loyalty to the plan participants. A prudent expert acts with the care, skill, and diligence that the circumstances call for a person of like character and like aims to use.
The monetary assets of the participant accounts are clearly plan assets, and a plan fiduciary must exercise prudence to protect them from theft, including theft by means of a cyber breach. Plan sponsors have a fiduciary duty to ensure that their record-keepers are providing appropriate security measures for protecting plan assets from unauthorized activity. If an employee’s personal information has been compromised, or her identity stolen, her retirement accounts are at risk.
To satisfy this fiduciary duty, a plan sponsor should (i) know and understand its record-keeper’s security procedures already in place, and (ii) consider the adequacy of these measures and whether additional security processes should be implemented. Records of these fiduciary inquiries and the answers to the questions asked, as well as any changes implemented to the plan procedures and participant accounts should be documented. It is now common for plan record keepers and custodians to provide email alerts for account activity, two-step authentication, and voice verification processes.
Plan sponsors should also educate plan participants on best security practices:
- Create a unique username – one that does not include any part of a social security number or birthday;
- Create a strong and unique password – experts advise that it should be at least 9 characters, including uppercase and lowercase letters, numbers, and punctuation marks;
- Keep username and passwords secure – they should not be saved in a browser or shared with anybody;
- Ensure that all contact information relating to a participant account is current and accurate;
- Update account security questions and answers; and
- Monitor account activity and promptly reporting any concerns.
Even so, it is not clear that these steps would completely insulate a plan sponsor from exposure to liability for a cyber breach. Plan sponsors should review record-keeper service agreements to understand the impact of an identity theft or a data breach. Although some record-keepers will reimburse the plan for losses due to unauthorized activity, other record-keepers place that liability squarely on the shoulders of the plan sponsor. We recommend negotiating language into service agreements that subject the record-keeper to a high standard of care and in safeguarding participant data and plan assets, provide breach notification deadlines and clearly delineate breach mitigation processes and responsibility. Retirement plan committees and other plan sponsor personnel that are integral to administering the retirement plan should also consider periodic cyber security training. A plan sponsor that can show prudent steps and process on cyber security will be better positioned to defend against fiduciary breach allegations. It’s getting increasingly risky, and extra care is advisable for managing retirement plan accounts.