Cybersecurity and ERISA Retirement Plans: The Financial Consultant’s Role. Cybersecurity is top of mind for many businesses, but have consultants for retirement plans given the area sufficient consideration? After all, there is no explicit cybersecurity duty that applies to consultants under the Employee Retirement Income Security Act of 1974 (“ERISA”). Despite this, plan consultants need to become educated on the cybersecurity landscape surrounding plans, in order to assist plan sponsor clients in fulfilling their fiduciary duties.
ERISA retirement plans hold both monetary assets and non-physical assets in the form of information about the plan and participants. Cyber incidents pose a threat to both. Phishing could result in a criminal obtaining sufficient personal information to obtain a fraudulent plan loan or plan distribution. It could also be that the data itself is the target of the theft, for example, the Social Security number, name, and bank account information used by a retirement plan to pay periodic distribution amount to a participant.
Common types of cybersecurity threats include phishing, ransomware, malware, and wire fraud. Phishing seeks interaction from a plan fiduciary or participant in order to obtain information. Ransomware will lock a hard drive or server to prevent the owner from using that device until a ransom has been paid. Malware is often introduced onto a device or system to capture keystrokes or perform other malicious activities. Finally, wire fraud has become very sophisticated. Genuine-looking e-mails from business clients or partners will seek a transfer of funds for legitimate-sounding business reasons, only to actually be from an entirely different person or entity. Many times, this can be achieved by altering a trusted email address by a single letter.