Now more than ever, retirement plan recordkeepers are at risk of cyber fraud. But there are ways to minimize your exposure. Lockton Affinity’s Tom Schrandt recently penned an article for ASPPA’s Plan Consultant Magazine, offering cyber tips for recordkeeping professionals.
Tom is a Vice President, Partner and Producer at Lockton Affinity, where he leads the Lockton Affinity Advisor Insurance Program specializing in insurance solutions for financial professionals. The American Society of Pension Professionals and Actuaries (ASPPA) is part of the American Retirement Association and a key organization for retirement plan professionals. The following article first appeared in ASPPA’s Spring 2022 Issue of Plan Consultant Magazine under the title “Fighting Cyber Fraud.”
Fighting Cyber Fraud
“I didn’t make a distribution request!” is probably one of the last things any employee benefits plan professional wants to hear from a plan participant. It’s a red flag that a fraudulent instruction request may have been received and processed and that someone may have just lost their life savings to an online scammer.
The Nature of the Risk
Due to the sensitive nature of stored personal information and the high value of plan assets under management, cybercriminals are increasingly interested in retirement plan data and assets. While the tricks cybercriminals use to commit online fraud tend to vary, the goal remains the same: impersonate a trusted party to divert funds into a fraudulent bank account.
The risk of such cyber fraud is growing. “It is getting harder and harder for victims to spot the red flags and tell real from fake,” said Donna Gregory, chief of the FBI’s Internet Crime Complaint Center (IC3), in a recent report. The fact that many professionals are working from home, where security is less robust, also complicates matters. IBM reports that email phishing scams, the precursor to most cyber fraud schemes, have multiplied at an exponential rate to more than 60 times pre-pandemic levels.
For plan sponsors, administrators, recordkeepers and other fiduciaries, even a single cyber fraud incident can have a cumulative effect that does serious damage. There’s the danger of stolen data and assets, plus legal costs, reputational damage, regulatory penalties and the added potential personal liability risk that can come with an ERISA fiduciary duty breach.
Who Holds the Liability?
Resolving an allegation of plan asset theft can be a complex undertaking. Legal action is often necessary to determine the facts of what went wrong and whom, if anyone, is to blame. Fiduciaries who share discretionary authority over plan administration and investments often share responsibility for the cybersecurity of their plan participants’ data and assets. Typically, courts have found that delegating these responsibilities does not remove fiduciary obligations.
In a situation where a plan participant’s retirement savings have been drained, there’s plenty of blame to go around, and all plan fiduciaries can expect to find themselves in court defending their cybersecurity practices. A few examples come to mind.
In Berman v. Estee Lauder, Inc. (N.D. Cal. Oct. 9, 2019), a plan sponsor, a recordkeeper and a custodian all had to defend their cybersecurity practices in the face of unauthorized distributions. In Leventhal v. MandMarblestone Group, LLC (E.D. Pa. May 1, 2019), both the plan sponsor and recordkeeper were found to share a fiduciary responsibility to restore accounts after cyberbreaches.
In the case of Bartnett v. Abbott Laboratories et al. (N.D. Ill. Oct. 2, 2020), a lawsuit was filed against both the plan sponsor and the recordkeeper, but the plan sponsor was dropped from the case, leaving the recordkeeper as the sole defendant. It’s worth taking a closer look at how this surprising turn of events came to be.
In the complaint, a plan participant alleges an unknown cybercriminal compromised her email and began attempting to use it to gain access to her plan account. Through contact with the recordkeeper’s website and call center, the cybercriminal was able to reset the password on the plan account, change the bank account associated with the plan account, and transfer $245,000 of plan assets to the new bank account and out of the country before the theft could be noticed and stopped.
As the Bartnett case moves forward, there is plenty for recordkeepers to think about. Typically, a recordkeeper’s role is considered to be non-fiduciary, handling only “ministerial” functions. But evolving case law has the potential to change that. Recordkeepers may one day find their standard functions constitute fiduciary conduct, in which case, having the correct cybersecurity practices and protections becomes even more important.
What Steps Can Recordkeepers Take?
A new and evolving area of case law is taking shape, but recordkeepers don’t have to wait for courts to decide Bartnett and other cases before acting to shore up their cybersecurity. The threat is already at a high level, presenting a major risk for anyone overseeing retirement plans. Guidance from the Department of Labor generally addresses three aspects of the problem, advising recordkeepers to:
- Educate employers and employee plan participants.
- Stay up to date on evolving fraud threats and tactics.
- Follow current industry fraud prevention best practices.
Diligent recordkeepers can and should take steps now to protect plan participants and themselves from hackers and fraudsters. Following are some steps that can minimize the risk.
An internal process to verify the identity of participants and authenticate all distribution requests can significantly cut down on fraudulent transactions. Protections range from calling participants to verify requests to high-tech voice recognition and two-factor authentication technologies.
An instant automatic notification alert sent through multiple channels, such as email, text and an automated phone call, when an account change has been made or a distribution is requested gives participants more opportunity to alert their plan fiduciary if something is wrong.
An automated tool monitoring accounts for suspicious activity can also make it harder for fraudsters to drain a participant account, flagging unfamiliar logins and account changes made shortly before a distribution request as requiring additional verification and authentication.
A policy on restoration can help recordkeepers better manage the risk of unauthorized disbursements by addressing which plan fiduciary has a responsibility to make participants whole and what circumstances and requirements must be met for the protection to apply.
A plan to engage plan participants in the safety of their own accounts, requiring an initial complete account setup, opting in for real-time alerts, providing education about phishing and fraud threats and requiring regular account reviews can greatly reduce the risk to plan assets.
Another important step recordkeepers can take is to obtain cyber liability insurance coverage to protect themselves. A policy that specifically covers fraudulent instruction requests and losses to a participant’s account is a must, as is checking for any coverage sublimits and policy restrictions that may limit protection.
Lastly, even though recordkeepers may do everything right and take all possible precautionary measures, it’s wise to ensure you carry the right insurance. Sooner or later, a fraudulent instruction request may slip through the cracks and lead to a loss for a participant and a lawsuit for the recordkeeper.
Lockton Affinity offers Cyber Liability insurance coverage tailored to meet the needs of recordkeepers and other retirement plan professionals. To learn more, visit LocktonAffinityAdvisor.com or call (844) 406-5958.