Cybersecurity & Retirement Plans

Insights | Cybersecurity & Retirement Plans

Author: Paul Carl, CHSA, CPFA, Vice President, Retirement Plan Consulting, Registered Representative

Imagine an employee with nearly $300,000 in your company’s 401(k) plan calling you with accusations that $245,000 has vanished—completely disappeared from their account. How would you react? What would you say? What would you do?

In Barnett v. Abbott Laboratories, a plan participant is suing Abbott Labs, the plan sponsor, because $245,000 “disappeared” from the participant’s retirement account. The original and amended complaints allege misconduct on the part of the retirement plan recordkeeper and includes the plan sponsor and other plan fiduciaries. 

The allegations claim that through a targeted cybersecurity attack:

  • The perpetrator changed the participant’s password, established a new bank account and requested a distribution from the Abbott Lab retirement plan; AND
  • The recordkeeper processed the request and issued a mailed, not emailed as previously directed by the participant, confirmation notice of the distribution. By the time the participant received the distribution confirmation notice, the suit claims the funds were long gone.

So far, both complaints against Abbott Labs have been dismissed by the courts but this case and several similar events bring Cyber Security and retirement plans front and center. In fact, the Department of Labor, Employee Benefits Security Administration (EBSA), is taking the matter so seriously that it issued guidance in April 2021. The DOL guidance comes in three forms: tips for hiring a service provider, cybersecurity program best practices and online security tips.

In December, as a part of our quarterly webinar series in partnership with VonLehman and Graydon, Paul Carl, Vice President, Register Representative at HORAN and a former Department of Labor (DOL) Senior Investigator, co-presented with eSentire, Inc.’s Vice President of Industry Security Strategies, Mark Sangster, on Cyber Security. Paul highlighted the importance of mitigating losses caused by cybersecurity attacks and included several best practices for retirement plan sponsors and their fiduciaries. In addition, Mark provided in-depth information on the types of commonplace cyber-attacks and how to detect if your organization has been victimized.

The DOL has issued guidance with an implied expectation that retirement plan sponsors and their fiduciaries undertake steps to create, review and/or update their cybersecurity programs. In fact, the first DOL-identified cybersecurity program best practice is to “have a formal, well-documented cybersecurity program in place.” 

What’s at stake? If you think about what drives most if not all 401(k) and 403(b) retirement plans, it’s payroll. Payroll and payroll files include employee names, social security numbers, addresses, dates of birth and hire, compensation and a host of other sensitive data. This information is often accessible not only internally but is shared with retirement plan recordkeepers and third-party administrators (TPAs). In some situations, the data may be shared with even more service providers including auditors and advisors. 

Do employees who participate in the retirement plan play a part? Absolutely. As the employer, consider adding cybersecurity as a component of your employee education. Education could focus on the importance of employees providing digital contact information such as valid email and mobile device numbers. These two items can help optimize security features such as the use of two-factor authentication at login and, where available, biometric voice recognition. 

Ensure that you are continuously reading about cybersecurity best practices and tips to protect your business and employees. If you’d like more information, click here to view the December webinar or contact Paul Carl at 800.544.8306

Paul Carl is a Registered Representative of HORAN Securities, Inc., a registered broker-dealer, member FINRA | SIPC.