Get to Know Josh

Across the retirement industry, technology and digitization are delivering significant enhancements for participants and plan sponsors through personalization, automation, and data analytics.

But the increasing usage and reliance on technology comes at an additional cost—security. A recently filed ERISA lawsuit underscores the importance that cybersecurity plays in the fiduciary process, both for plan sponsors and service providers, and could serve as a harbinger of things to come. In April 2020, a complaint was filed in Illinois naming Abbott Laboratories (the plan sponsor) and Alight Solutions (the recordkeeper), alleging fiduciary breaches of duty for cyber fraud.

In December 2018, a retired former employee of Abbott Laboratories alleged that an unknown individual accessed her account and stole $245,000 due to insufficient security measures. According to the complaint, there was no security question routine that was enforced on the benefits website. The unknown user accessed the plaintiff’s account via the internet, chose the “forgot password” option, entered the last four digits of the plaintiff’s Social Security number and her date of birth, and then elected to receive a one-time code via email to her email account, instead of answering online security questions. The unknown user then entered the one-time code, accessed the account, changed the password, and added direct deposit information to a third-party bank account.

Here’s where the story gets even more interesting. The lawsuit alleges that two days after the employees account was accessed, the unknown user (referred to as the “Impersonator” in the complaint) called the Abbott Benefits Service Center from a phone number that didn’t belong to the plaintiff (or was associated with her account) and impersonated her.  The Impersonator told the benefits representative that they had unsuccessfully tried to process a distribution online, at which point the representative provided personal information to them by asking if they still lived at the plaintiff’s address.

Eventually, the representative processed the distribution but the plaintiff wasn’t notified until nearly ten days later via mail that the $245,000 had been transferred. However, according to the complaint, the plaintiff had elected to receive communications electronically as her preferred method, rather than via mail, and alleged that if she had been sent an email she could have responded quickly and halted the transfer.

The complaint specifically alleges that the defendants breached their fiduciary duties of loyalty and prudence by “by causing, allowing or processing unauthorized distributions of [plaintiff’s] account assets; failing to confirm authorizations for distributions with [plaintiff] before making distributions; failing to provide timely notice of distributions to [plaintiff] by telephone or email; failing to identify and halt suspicious distribution requests, such as requests for multiple distributions to accounts in different banks; failing to establish distribution processes to safeguard the plan’s assets against unauthorized withdrawals; failing to monitor other fiduciaries’ distribution processes, protocols and activities; and related acts and omissions.”

Now it remains to be seen whether this lawsuit has any merit, but it’s unlikely to be the last of its kind. And this isn’t simply an Abbott Laboratories or Alight Solutions issue, especially with so much of our financial lives moving to the digital world. This is an issue that impacts every single recordkeeper (or other vendor) in the industry that has personally identifiable information (PII) and, by extension, the fiduciaries that select these vendors. From a user experience, policies like security questions and answers, complex passwords, two-factor authentication, timed logoff, strong encryption, secure email, and voice recognition technology will become table stakes, if they haven’t already. From a security infrastructure perspective, recordkeepers will need to continue to invest in and deploy customer verification measures, systems surveillance and fraud detection, stronger firewalls, and restricted user access to data. One recordkeeper even invested $50 million in a security software company!

Lawmakers and regulators are also starting to focus on cyber issues. For instance, in 2019, two senators wrote the comptroller general of the U.S. Government Accountability Office (GAO) asking him to examine the cybersecurity of the private retirement system. In particular, the letter identified retirement accounts as “a tempting target for criminals who could hack into a plan and individuals’ accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs. It is important that workers and retirees know their savings are in-fact safe, and that a cyberattack will not throw the retirement they have spent years working and planning for into jeopardy.” That certainly sounds a lot like the Abbott Laboratories complaint.

The Advisory Council on Employee Welfare and Pension Benefit Plans, generally referred to as the ERISA Advisory Council, was established under Section 512 of ERISA to advise the Secretary of Labor on matters related to welfare and pension benefit plans. In 2016, it published a report examining cybersecurity considerations as they relate to pension and welfare benefit plans. While the report does not represent the position of the Department of Labor, it does offer a number of important insights for fiduciaries to consider. John Hancock culled these six helpful cybersecurity best practices from the report.

1. Prudently select and monitor third-party service providers with a process that includes investigating how PII is protected, and document the factors taken into consideration. Request information regarding the providers’ data security systems and policies. Also, review the results of providers’ SOC 2 audits and other industry-recognized certifications.
2. Review and, if necessary, amend agreements with service providers to ensure that contractual provisions mandate the protection of plan data and the allocation of liability.
3. Consider buying cyber-liability insurance or include cyber provisions in existing liability policies. Policies should cover liability resulting in litigation, as well as the cost of and assistance and resources (such as credit monitoring or technical support) needed to minimize the impact of an actual breach.
4. Document, review, and update cybersecurity policies for comprehensiveness. Ensure the ongoing monitoring of any covered service providers and employees with access to plan data while also limiting the amount of data available to only what’s necessary.
5. Continue to educate fiduciaries (retaining an expert’s assistance, if necessary) to ensure they’re informed regarding the functionality of the systems, as well as the processes and procedures involved with the maintenance, retention, and protection of PII.
6. Educate participants to do their part to protect against cybersecurity issues before they occur—and communicate how to mitigate losses if information is compromised.

At a minimum, ERISA fiduciaries should ask cybersecurity-related questions as part of the vendor RFP process, or as a standalone request, and make sure this due diligence process is documented.  For a list of cybersecurity questions you should ask, please contact me directly.

Joshua P. Itzoe, CFP®, AIF®, Partner & Chief Strategy Officer