Courts are now sorting out who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests.

Can the employer, as the plan sponsor, be held responsible when an outside service provider honors a suspicious distribution request?

One federal court recently dismissed such a case against the employer because the plan's website provider was alleged to have processed and authorized a fraudulent online distribution request without adequate participant confirmation. However, employers are plan fiduciaries with a duty to select and monitor the performance of plan service providers. This opens the door to potential claims against employers for their alleged failure to pick service providers with adequate cyber security practices - even if the employer's own data systems are secure and well maintained.

What should an employer do about this?