401(k) Cyber Theft - Who Is Responsible?
Cyber theft of participant 401(k) accounts is a reality (see HERE).
Courts are now sorting out who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests.
Can the employer, as the plan sponsor, be held responsible when an outside service provider honors a suspicious distribution request?
One federal court recently dismissed such a case against the employer because the plan's website provider was alleged to have processed and authorized a fraudulent online distribution request without adequate participant confirmation (that's Bartnett v. Abbott Laboratories, N.D. Illinois). However, employers are plan fiduciaries with a duty to select and monitor the performance of plan service providers. This opens the door to potential claims against employers for their alleged failure to pick service providers with adequate cyber security practices - even if the employer's own data systems are secure and well maintained.
What should an employer do about this? First, of course, is to make sure your own house is in order by observing appropriate cyber security practices including employee education on avoiding fraudulent information disclosures by means such as phishing. With employees more likely to be working from remote locations during the COVID-19 pandemic, this threat may be significantly increased.
Also important is to verify that plan service providers adequately protect participant account information with secure systems and practices to stop unauthorized distributions by generating security alerts (and participant notices) when there are changes in account information such as new passwords and access devices - as well as distribution requests.
Every 401(k) provider service agreement should require the service provider to observe appropriate cyber security protocols with respect to participant account information. Employers would be further protected if they are also indemnified by the service provider for damages cause by its failure to properly secure such information. As to the employer's own responsibility, consider maintaining fiduciary insurance to cover any security breach that allegedly results from the employer's conduct as the plan sponsor or designated "plan administrator."