By Fred Reish

Cybertheft has skyrocketed during the pandemic. By June, 2020, the daily digital crime rate was 74% ahead of where it was when stay-at-home restrictions were put in place. A lucrative target? The investment accounts of retirement plan participants. Why? The risk has escalated with remote work combined with increased distribution and loan limits under the CARES Act.

Plan sponsors are right to be uneasy over their potential fiduciary responsibility to prevent these crimes, and understandably. There’s little guidance from the Department of Labor or definitive answers from recent related court decisions.

But employers can gain insights from three pending cases brought by plan participants over cybertheft of their accounts to reduce their exposure and possibly avoid claims altogether.

Lawsuit #1:  Service partners’ practices matter

The case: In Barnett v. Abbott Laboratories, a cyberthief obtained a 401(k) account login information, except for the password, logged into the account at the recordkeeper, and clicked on the “Forgot Password” button. The thief intercepted the email with the new password, changed the bank account of record for disbursements and had $245,000 from the retired participant’s account transferred to the new bank. The plaintiff complained that if the plan’s recordkeeper had notified her of the requested withdrawal via email (apparently her preferred method of communication), rather than a letter, it would have been timely enough to stop the transfer.

The findings: The court held that the plan sponsor was not liable, but the recordkeeper could be. That ruling may not give plan sponsors much comfort, though, an argument could be made that in their capacity as fiduciaries (usually through plan committees), they have a duty to investigate and monitor the cybersecurity procedures of their service providers.

Lessons learned: With the law here unsettled, a cautious approach begins with plan sponsors acquainting themselves with the cybersecurity policies and procedures of their service providers, particularly the plan’s recordkeeper. Internal IT staff or consultants should evaluate those procedures against industry standards. Plan advisors can explain best practices in the 401(k) industry. Service providers should explain how they monitor compliance. Finally, ask for an update on those procedures regularly. On a different front, the plan’s lawyer should review its service provider agreements, advising on provisions for both sides’ cybersecurity responsibilities and any limitations on the service providers’ liability.

Lawsuit #2: When service providers countersue

The case: In Leventhal v. MandMarblestone Group a cyber thief stole $400,000 from a participant’s account by intercepting emails from an employee who was working remotely. The plan’s service providers were sued.

The findings: In a procedural motion, the court found that the service providers could be liable as fiduciaries. But they countersued the plan sponsor, arguing that its responsibilities were breached in allowing remote work without proper cyber security safeguards. The court decided that the counterclaim was sufficient to proceed to trial, leaving open the possibility that the plan sponsor would be at least partially liable.

Lessons learned: This court found that plan sponsors and committees could be responsible to have reasonable procedures in place to protect communications of employees about the retirement plans and distributions. This is a particularly acute issue given the prevalence of remote working during the pandemic. Plan sponsors should enlist their IT people in developing security practices that ideally exceed standard practices. It’s better to avoid a loss than to defend against it.

Case #3: Avoiding shared failures in account security

The case: In Berman v. Estee Lauder, Inc. a cyberthief stole almost $90,000 from a participant’s account, apparently by obtaining the participant’s login information, changing the bank account and making withdrawals. The participant sued, alleging that the plan sponsor, recordkeeper and trustee all breached their fiduciary duties. The case was subsequently settled.

Lessons learned: Few details about the case are known, but some takeaways are available. First, since cyberthieves sometimes obtain part or all of the login information from plan participants, it’s important to provide the participants with ongoing education about protecting their login information and passwords. Second, committees should review their service providers’ procedures for protecting accounts. When bank accounts are changed, a red flag goes up that a participant’s money could be in jeopardy. Are there dual authentication procedures for a withdrawal…perhaps a text after the initial login and request? The same question should be asked about changes of passwords, which is a common practice of cyberthieves.

To stay on top of the evolving retirement plan world, committees should regularly ask their advisers, recordkeepers and attorneys to report back on emerging issues. New threats should prompt them to enlist their advisers to help them minimize or even eliminate the risk.

The views expressed in this article are those of Fred Reish, and not necessarily of Faegre Drinker.  The article is for general information only and is not intended to provide investment, tax or legal advice, or recommendations for any particular situation.  Please consult with a financial, tax or legal advisor on your circumstances.

HUB International’s retirement plan fiduciary advisors provide ongoing guidance on your plan’s setup and management to ensure it meets regulatory compliance guidelines and the interests of your employees.  Contact HUB to request an assessment of your group retirement plan.  

Fred Reish is a partner with the law firm of Faegre Drinker who specializes in retirement law, focusing on fiduciary and best interest standards of care, prohibited transactions, conflicts of interest, and retirement plans.