In the unfortunate case of a participant’s retirement account data being breached, speakers on a panel at the PLANSPONSOR National Conference in Orlando, Florida, said it is critical that plan sponsors have the proper insurance and cybersecurity practices in place to avoid lawsuits and catastrophic results. 

Daniel Aronowitz, managing principal at Euclid Fiduciary, said at the “Are You inSUREd?” panel that plan sponsors need to have safeguards like multi-factor identification and regular information back-up in place, as well as setting up an indemnification with their recordkeeper in the case of a digital threat. 

CalPERS Third-Party Cybersecurity Breach 

In related news, the California Public Employees’ Retirement System, which serves state employees in California and is the largest pension fund in the U.S., and the California State Teachers Retirement System, the public pension fund serving California teachers, were among the public and private sector institutions affected by a major breach. 

In statement, CalSTRS said, “On June 4, 2023, a CalSTRS vendor, PBI Research Services, advised us that its systems were involved in the recent mass exploit of a vulnerability in the MOVEit secure file transfer system. This incident did not involve unauthorized access to CalSTRS’ network. CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.” 

According to published reports, other affected organizations include Genworth Financial, a Virginia-based life insurance services provider, and Wilton Re, a New York-based insurance provider. In all, the security breach at PBI Research Services, which recently merged with The Berwyn Group, impacted the personal information of approximately 769,000 members, according to CalPERS’ Tuesday communication to its retired members and their families. 

PBI provides services to CalPERS to identify member deaths, and these services ensure that proper payments are made to retirees and beneficiaries and prevent instances of overpayments or other errors. The security incident did not impact information systems operated by CalPERS, according to the press release.  

Retirees and beneficiaries with impacted personal information are being contacted by mail with information on how to take additional steps to protect their information, and CalPERS offered free credit monitoring for two years.  

In addition, PBI notified CalPERS that retired member files were impacted as well. Some of those include inactive members who may soon become eligible for benefits.  

PBI has reported the incident to federal law enforcement and has told CalPERS it has “resolved the vulnerability,” while also adding additional security measures. According to a press release, CalPERS has added new protocols on its member benefits website, myCalPERS, as well as additional safeguards for those who use the member contact center and those who visit any CalPERS regional office. 

What Plan Sponsors Should Keep in Mind 

Aronowitz said plan sponsors need to make sure they have indemnification in place not only with their recordkeepers, but with every third party involved in their plan and anyone who handling money in retirement accounts.  

Indemnification clauses are promises by service providers stipulating that if they do something wrong which causes harm to the plan or causes a third party to sue the plan sponsor, the service provider will cover their legal costs. 

On top of that, Aronowitz said every plan sponsor, third party and plan adviser should make sure it has fiduciary insurance, as well as cyber insurance and crime insurance. 

Robert Massa, managing director and Houston operations retirement practice leader at Qualified Plan Advisers, said his firm sends an RFP specifically dedicated to cybersecurity practices to plan sponsor clients, with the intent it be sent to their recordkeepers.  

“Some of the big recordkeepers share data together about cyber hacks,” Massa said. “This is a place where they’ve all agreed that they’re all at risk, and it doesn’t benefit any one of them to allow the other one to get hacked. … I think that’s a great step in the right direction.” 

Massa added that the smaller the recordkeeper is, the higher the risk of a breach, because it is most likely more financially constrained and more likely to outsource cybersecurity to other service providers. Smaller recordkeepers also may not be able to afford as expensive an insurance policy as larger recordkeepers can. 

Even if a plan sponsor and their recordkeeper have “airtight” cybersecurity, Massa said it is important to educate employees on cyber-risk and “break it down to the human level.” 

If a participant’s personal email gets hacked, for example, Massa said there is the possibility that the breach could snowball. The plan sponsor may not be at fault in this situation, but Massa said it could result in a lawsuit against the plan anyway.  

Aronowitz predicted there will be more lawsuits filed over cybersecurity issues in the future. As one example, he cited a December 2022 lawsuit against Colgate in which a participant in the company’s defined contribution plan alleged breach of fiduciary duty claims against the plan recordkeeper and plan fiduciary committee, but not the bank custodian.  

Aronowitz said these cases typically come down to whether the plan sponsor breached its fiduciary duty by not properly monitoring its recordkeeper or choosing the best recordkeeper.  

Importance of Fiduciary Insurance 

“When I think of fiduciary insurance, it’s malpractice insurance,” Aronowitz said. “Doctors need malpractice insurance, lawyers need malpractice insurance [and] fiduciaries of retirement plans need malpractice insurance.” 

Aronowitz explained that fiduciary insurance protects the plan sponsor against claims it was negligent or committed “malpractice.”  

“Essentially, a breach of fiduciary duty claim is a claim that you messed up,” Aronowitz said.  

As many plan sponsors experience high premiums for insurance, Massa added that if plan sponsors have their fiduciary process in place and do the proper documentation and due diligence, they will likely see those premiums become more reasonable. 

“Insurance companies are asking a lot about how you do your business,” Massa said. “They want to know if you’ve been benchmarking, meeting regularly [and] your average fund expenses.”