Across the retirement industry, technology and digitization are delivering significant enhancements for participants and plan sponsors. Benefits include personalization, automation, and data analytics. But the increasing usage and reliance on technology come at an additional cost — cybersecurity.
A recently filed ERISA lawsuit underscores the importance of cybersecurity in the fiduciary process, both for plan sponsors and service providers, and could serve as a harbinger of things to come. In April 2020, a complaint was filed in Illinois naming Abbott Laboratories (the plan sponsor) and Alight Solutions (the recordkeeper), alleging fiduciary breaches of duty for cyber fraud.
In December 2018, a retired former employee of Abbott Laboratories alleged that an unknown individual accessed her account and stole $245,000 due to insufficient security measures. According to the complaint, no security question routine was enforced on the benefits website. The unknown user accessed the plaintiff’s account via the internet and chose the “forgot password” option. Then they entered the last four digits of the plaintiff’s Social Security number and her date of birth. Subsequently, they elected to receive a one-time code via email to her email account instead of answering online security questions. The unknown user then entered the one-time code and then accessed the account, and changed the password. They added direct deposit information to a third-party bank account.
Here’s where the story gets even more interesting. The lawsuit alleges that two days after the employee’s account was accessed, the unknown user (referred to as the “Impersonator” in the complaint) called the Abbott Benefits Service Center. They called from a phone number that didn’t belong to the plaintiff (or was associated with her account) and impersonated her. The Impersonator told the benefits representative that they had unsuccessfully tried to process a distribution online. At that point, the representative provided personal information to them by asking if they still lived at the plaintiff’s address.
Eventually, the representative processed the distribution. But the plaintiff wasn’t notified until nearly ten days later via mail that the $245,000 had been transferred. Of note, the plaintiff had elected to receive communications electronically as her preferred method, rather than via mail. She alleges that she could have responded quickly and halted the transfer if she had been sent an email.
The complaint specifically alleges that the defendants breached their fiduciary duties of loyalty and prudence by “by causing, allowing or processing unauthorized distributions of [plaintiff’s] account assets; failing to confirm authorizations for distributions with [plaintiff] before making distributions; failing to provide timely notice of distributions to [plaintiff] by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard the plan’s assets against unauthorized withdrawals; failing to monitor other fiduciaries’ distribution processes, protocols, and activities; and related acts and omissions.”
It remains to be seen whether this lawsuit has merit, but it’s unlikely to be the last of its kind. And this isn’t simply an Abbott Laboratories or Alight Solutions issue. It affects every retirement vendor with so much of our financial lives moving to the digital world. This is an issue that impacts every single vendor in the industry with personally identifiable information (PII). By extension, it also impacts the fiduciaries that select these vendors.
From a user experience, security policies will become table stakes if they haven’t already. Measures should include security questions and answers, complex passwords, two-factor authentication, timed logoff, strong encryption, secure email, and voice recognition technology. From a security infrastructure perspective, recordkeepers will need to continue investing in and deploying customer verification measures. These include systems surveillance and fraud detection, stronger firewalls, and restricted user access to data. One recordkeeper even invested $50 million in a security software company!
Lawmakers and regulators are also starting to focus on cyber issues. For instance, in 2019, two senators wrote the comptroller general of the U.S. Government Accountability Office (GAO) asking him to examine the cybersecurity of the private retirement system. In particular, the letter identified retirement accounts as “a tempting target for criminals who could hack into a plan and individuals’ accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs. It is important that workers and retirees know their savings are in fact safe, and that a cyberattack will not throw the retirement they have spent years working and planning for into jeopardy.”
That certainly sounds a lot like the Abbott Laboratories complaint.
The Advisory Council on Employee Welfare and Pension Benefit Plans was established under Section 512 of ERISA. Known as the ERISA Advisory Council, it advises the Secretary of Labor on welfare and pension benefit plans. In 2016, it published a report examining cybersecurity considerations as they relate to pension and welfare benefit plans. While the report doesn’t represent the DOL’s official position, it offers several important insights for fiduciaries to consider. John Hancock culled these six helpful cybersecurity best practices from the report.
- Prudently select and monitor third-party service providers with a process that includes investigating how PII is protected, and document the factors taken into consideration. Request information regarding the providers’ data security systems and policies. Also, review the results of providers’ SOC 2 audits and other industry-recognized certifications.
- Review and, if necessary, amend agreements with service providers to ensure that contractual provisions mandate the protection of plan data and the allocation of liability.
- Consider buying cyber-liability insurance or include cyber provisions in existing liability policies. Policies should cover liability resulting in litigation, as well as the cost of and assistance and resources (such as credit monitoring or technical support) needed to minimize the impact of an actual breach.
- Document, review, and update cybersecurity policies for comprehensiveness. Ensure the ongoing monitoring of any covered service providers and employees with access to plan data while limiting the amount of data available to only what’s necessary.
- Continue to educate fiduciaries (retaining an expert’s assistance, if necessary) to ensure they’re informed regarding the functionality of the systems and the processes and procedures involved with the maintenance, retention, and protection of PII.
- Educate participants to do their part to protect against cybersecurity issues before they occur—and communicate how to mitigate losses if the information is compromised.
At a minimum, ERISA fiduciaries should have a documented due diligence process. Cybersecurity-related questions as part of the vendor RFP process or as a standalone request. For a list of cybersecurity questions, you should ask, please contact me directly.