There has been a recent spike in attacks on 401(k) and
retirement plans by cyber criminals. Some have been reported
publicly, and we are aware of several nonpublic incidents as
A data breach is a disruptive event. For plan fiduciaries, there
are several factors that create heightened risk. First, an attack
can result in loss of personally identifiable information and theft
of funds. Recent incidents have seen cyber thieves empty accounts
of plan participants, including C-suite executives. For business
relations reasons, corporate plan sponsors have taken
responsibility for making plan participants whole.
Second, plans use third-party service providers to administer
accounts and handle data. Yet, plan fiduciaries may remain
responsible for their actions under ERISA, and they are generally
obligated to provide prudent oversight.
Third, because ERISA requires that claims by plan participants
be asserted against the plan fiduciary, it is critical to have
contractual specifications about data and plan assets security, and
mechanisms to shift the loss to the service provider where
circumstances warrant. Otherwise, disputes may arise over which
party is responsible for cybersecurity.
In light of these risks, we offer the following recommendations
for plan fiduciaries:
Undertake a careful review of
agreements with service providers. Contracts should make them
responsible for cybersecurity and set standards for data protection
consistent with ERISA and other laws, as well as up-to-date
industry standards. In the event of a breach, contracts should
provide plan fiduciaries with prompt notice, access to requested
information, and indemnification against claims and losses.
Obtain insurance that covers cyber
theft and data breach risk. Some cyber policies will cover losses
incurred by plan fiduciaries, including investigation expenses,
notice costs, reimbursement of stolen funds, and defense of claims.
But coverage varies greatly from insurer to insurer, and many
policies contain problematic exclusions. It is important to
understand the available coverages and to select policies that meet
Should a breach occur, the plan
fiduciary should take an active role in the response effort. A
prudent "expert level" response will include diligent
investigation, notice and protective measures for plan
participants, and implementation of appropriate corrective
Jones Day currently is assisting clients in responding to
several nonpublic cyber incidents involving 401(k) and retirement
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The effects of the California Supreme Court's latest interpretation to provide seating to workers are beginning to show, as the United States District Court for the Central District of California recently approved a $700,000 settlement ...
Given the issues workplace texting presents for employers, employers would be wise to make clear in their policies what method of communication employees may use in the workplace for business purposes.
With an estimated U.S. divorce rate in the 40% to 50% range, your retirement plan is likely to receive an order from a court directing the plan to split a participant's benefits, also known as a domestic relations order.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).