Cybertheft has skyrocketed during the pandemic. By June, 2020, the daily digital crime rate was 74% ahead of where it was when stay-at-home restrictions were put in place. A lucrative target? The investment accounts of retirement plan participants. Why? The risk has escalated with remote work combined with increased distribution and loan limits under the CARES Act.
Plan sponsors are right to be uneasy over their potential fiduciary responsibility to prevent these crimes, and understandably. There’s little guidance from the Department of Labor or definitive answers from recent related court decisions.
But employers can gain insights from three pending cases brought by plan participants over cybertheft of their accounts to reduce their exposure and possibly avoid claims altogether.
Lawsuit #1: Service partners’ practices matter
The case: In Barnett v. Abbott Laboratories, a cyberthief obtained a 401(k) account login information, except for the password, logged into the account at the recordkeeper, and clicked on the “Forgot Password” button. The thief intercepted the email with the new password, changed the bank account of record for disbursements and had $245,000 from the retired participant’s account transferred to the new bank. The plaintiff complained that if the plan’s recordkeeper had notified her of the requested withdrawal via email (apparently her preferred method of communication), rather than a letter, it would have been timely enough to stop the transfer.
The findings: The court held that the plan sponsor was not liable, but the recordkeeper could be. That ruling may not give plan sponsors much comfort, though, an argument could be made that in their capacity as fiduciaries (usually through plan committees), they have a duty to investigate and monitor the cybersecurity procedures of their service providers.
Lessons learned: With the law here unsettled, a cautious approach begins with plan sponsors acquainting themselves with the cybersecurity policies and procedures of their service providers, particularly the plan’s recordkeeper. Internal IT staff or consultants should evaluate those procedures against industry standards. Plan advisors can explain best practices in the 401(k) industry. Service providers should explain how they monitor compliance. Finally, ask for an update on those procedures regularly. On a different front, the plan’s lawyer should review its service provider agreements, advising on provisions for both sides’ cybersecurity responsibilities and any limitations on the service providers’ liability.
