The Secure Act 2.0 involves many benefit-related matters including changes to the prior law. The relief offered by this act applies both to affected participants and their beneficiaries as well as the fiduciaries responsible for plan operations, including the employer which sponsors the plan; however, this is not blanket relief.

Courts are now sorting out who is responsible when an impostor diverts a participant's retirement funds with fraudulent distribution requests.

Can the employer, as the plan sponsor, be held responsible when an outside service provider honors a suspicious distribution request?

One federal court recently dismissed such a case against the employer because the plan's website provider was alleged to have processed and authorized a fraudulent online distribution request without adequate participant confirmation. However, employers are plan fiduciaries with a duty to select and monitor the performance of plan service providers. This opens the door to potential claims against employers for their alleged failure to pick service providers with adequate cyber security practices - even if the employer's own data systems are secure and well maintained.

What should an employer do about this?

Service providers for 401(k) and other retirement plans require access to personal data on participants including name, age, address, date of hire, compensation and possibly social security number. This data is necessary to allow plan administrators and recordkeepers to properly allocate plan contributions and earnings to individual participant accounts, to prepare participant statements and for income tax reporting purposes.