Skip to main content

You are here

Advertisement

Protecting Balances from Cyber Thieves

BY
John Iekel
April 16, 2021
Practice Management

Who exactly is responsible if a participant’s balance is stolen? While that may not be exactly clear, a recent blog entry suggests that it may be prudent to take steps to protect participants’ retirement accounts from cyber crime nonetheless. 

In “Employer 401k Cybersecurity Responsibilities,” Robert C. Lawton of Lawton Retirement Plan Consultants notes that the courts are “sorting that out right now,” and observes that there at least one court has held that a plan sponsor was not a fiduciary and not financially responsible when a participant balance was stolen. “A landmark case” is how he characterizes the ruling by the U.S. District Court for the Northern District of Illinois in Bartnett v. Abbott Laboratories, in which the court held the fiduciary, Abbott Labs, was not responsible for the theft of a participant balance, but the provider, Alight, was. 

Lawton writes that most service providers with which plan sponsors work are not fiduciaries, and those that are generally are “limited scope” fiduciaries, responsible regarding their particular area of expertise only. And despite Bartnett v. Abbott, he says, plan sponsors have been considered to be fiduciaries for all activities related to their plans. 

“Employers overwhelmingly see the logic in the court’s rulings,” remarks Lawton. But he offers a note of caution regardless of Bartnett v. Abbott and that employer view, and suggests taking steps to protect participant balances from cyber thieves.

Service Providers. Lawton suggests that employers: 

  • ask providers about their policies, procedures, protections and guarantees concerning cybersecurity;
  • obtain their data protection policies and procedures; and
  • review their policies regarding cybersecurity and data security.

Insurance. Lawton suggests reviewing insurance coverage concerning fraudulent payments from the plan, as well as asking service providers about their coverage. 

Contracts. Lawton suggests reviewing existing contracts with service providers with special attention to responsibilities regarding data security and fraudulent payments and understand who is responsible if data is compromised or there are fraudulent payments. And he adds that it may be necessary to develop a new contract that better addresses responsibilities for security and handling fraud.

A Developing Story

“Much is in flux,” Lawton writes, observing that relevant case law is “still evolving” and noting the dearth of laws that concern cybersecurity responsibilities regarding 401ks. “There is much that has yet to be determined,” Lawton says, and stresses the importance of staying abreast of developments in this area.

You might want to check out…

Why Aligning Retirement Benefits and Employee Needs Matters
4/26/2024
John Iekel
The ‘Catch’ in the Saver’s Match
4/26/2024
Nevin E. Adams, JD
Private-Sector Employees 4x as Likely to Have DC Coverage than a Pension
4/25/2024
John Iekel
0 Comments
Discussion Policy

Advertisement

Most Popular

State-Sponsored Savings Programs Reach $1 Billion in Assets
12 Key Elements in the IRS SECURE 2.0 'Grab Bag' Notice
IRS Releases Q&A Guidance on Key SECURE 2.0 Provisions
High-Profile Retirement Plan Policy Experts Join State Plan Push
Biden Administration Officially Unveils Retirement Security Rule Proposal

Recent Headlines

Bill to Include RI Teachers in Social Security to Receive Further Study
The ‘Catch’ in the Saver’s Match
Why Aligning Retirement Benefits and Employee Needs Matters
8 Important Changes in DOL’s Final Fiduciary Rule
Hartogensis’ Term as PBGC Director Ends

Recent Comments

2024-2 SECURE 2.0
Is there a link to the survey?
Great article. Ending made me laugh, even on 3-13, and despite the seriousness of the subject.
On her X {Twitter} account, Teresa Ghilarducci issued a flat denial on 5 March 2024 saying she...
Despite claims in the article, I am familiar with more than a few who “replace a very high...