Cyber Security: The Hidden Risk in Retirement Plan Accounts

/ By / 401k News, Compliance, Featured Story - Fred, Fiduciary, Latest Stories, Newsletter, Top Stories, TPSU Programs, Trending Stories

If Russian hackers can affect the US presidential election, do you think that retirement accounts and assets are safe? This topic was hotly debated at a recent TPSU program that was conducted at Rutgers University and plan sponsors that had never considered the issue were totally engaged.

As noted in the 2016 ERISA Council report, risks include:

  • Ransomwarewhere criminals encrypt and seize an entire hard drive and will only release it for a high ransom.
  • Phishingwhere fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cyber-criminal to infiltrate a computer network.
  • Wire transfer email fraudwhere cyber criminals pretend to be senior executives asking employees to transfer funds.
  • Malwarevia external devices where intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer.

The experts leading the discussion at TPSU noted that the problem is not an IT issue, it is an organizational issue as many problems arise when people open email attachments. Another problem discussed at TPSU was emails that seem to come from a trusted source but the domain name is slightly misspelled.

So is there fiduciary liability? There may be according to Trucker Huss, a law firm based in San Francisco who notes:

“Under Section 404(a) of ERISA, a benefit plan’s fiduciaries must discharge their duties to the plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing for their benefits. These duties must be carried out with the care, skill, prudence and diligence under then-prevailing circumstances that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.1Because benefit data includes participants’ names, Social Security numbers, account information and PII [personal identifiable information], it is increasingly important for ERISA plan fiduciaries to acknowledge and act on their inherent responsibilities to secure online plan data from cyberattacks. Failure to do so would almost certainly be counter to the prudence standard by which ERISA fiduciaries are required to abide.”

That fiduciary duty and liability may come back to plan sponsors even if the issue is with their record keeper if proper due diligence and monitoring was not executed.

Truck Huss suggests these simple best practices:

  • Get insurance to protect the plan assets and the participants (which may be paid out of plan assets as revealed in the TPSU panel);
  • Conduct proper due diligence and monitoring of third parties;
  • Review and amend, if necessary, agreements; and
  • Educate yourself like attending a TPSU program and reading 401kTV.

FOLLOW US:

401kTV

About Us

Management Team

Affiliates

Privacy Policy

Terms Of Service

Contact 401kTV

Thank you for visiting our site!

TRAU, Inc. and its affiliates TPSU and 401kTV do not provide investment, legal, tax or accounting advice. 401kTV readers and viewers should consult their legal and tax advisors for guidance. All materials, including but not limited to articles, directories, photos, videos, graphics etc., on this website are the sole property of TRAU, Inc. and are intended for educational purposes only. We do encourage your sharing 401kTV content with Plan Sponsors; however, unauthorized use of any and all materials is prohibited/restricted.

Permission to use any of the materials, etc. on any of this site or affiliate websites may be requested in writing at [email protected] and may be granted in writing on a case by case basis. Use of all editorial content without permission is strictly prohibited.

Scroll to Top