On the final day of the 2022 PLANSPONSOR National Conference in Orlando, a panel of experts discussed retirement plan cybersecurity, with the goal of steeling retirement industry professionals against the rapidly evolving threats they face.

The speakers included Larry Crocker, CEO of Fiduciary Consulting Group, Inc.; Beth Kushner, deputy director of administration for the New York City Deferred Compensation Plan; and Percy Lee, an associate at Ivins, Phillips & Barker. As the trio explained, there has been a clear increase in cybersecurity-related incidents involving retirement plans and related benefit offerings, raising the stakes for fiduciaries and the companies and plan participants they serve.

“Over the past several years, we have all become more familiar with cybersecurity as a general concept, in part because many of us moved to remote-first work arrangements due to the pandemic,” Lee said. “As the level of awareness has increased, however, so has the size and complexity of the cybersecurity problem from the perspective of plan fiduciaries.”

As Kushner recounted, remote work was a blessing in that it allowed so many people to continue to get their jobs done, but it also meant the effort of keeping systems safe and secure got a lot more complicated. In New York City’s case, all remote connections must be established in an encrypted manner, and employees are constantly reminded about their role in keeping systems safe and secure. In fact, the city has run multiple simulated phishing campaigns in the interest of exposing potential vulnerability. If mistakes are made, targeted training is immediately provided to individual workers.  

As Lee and Crocker noted, the cybersecurity stakes are high. In the past few years, multiple recordkeepers and/or plan committees have been sued in the aftermath of fraudulent transactions or data breaches. In one well-publicized case against Abbott Laboratories, the plaintiff alleged that failures in website and call center protocols resulted in $245,000 in unauthorized distributions from the individual’s plan account. While the allegations directed specifically against Abbott Labs were eventually rejected by the district court ruling on the case, the recordkeeper later agreed to pay a settlement to resolve the matter.

“When it comes to cybersecurity and fiduciaries’ responsibilities, these issues haven’t been fully tested in the courts, but they have figured in settlements,” Lee said. “Something else we have seen in settlements in excessive fee cases is that plan sponsors will agree to forbid their recordkeeper from using plan data to cross-sell other services to individual participants.”

Crocker and Lee said they expect it will take some years before the basic question of whether plan data is to be defined as a plan asset under ERISA is resolved. In the meantime, it is probably smart for plan sponsors to behave as if this is the case, meaning they should strive to protect plan data in the same way they strive to protect plan assets. Regulatory action could also have an impact, they explained, as Congress has empowered the Department of Labor to set out the definition of plan assets via regulation.

Crocker and Lee emphasized the importance of the fiduciary process, meaning it is critical for plan fiduciaries to discuss and act on cybersecurity-related topics—activity which should be reflected in meeting records, service provider requests for proposal, contract negotiations, etc.

Asked to discuss what resources New York City has used to support its internal cybersecurity efforts, Kushner noted the significance of backup and collaboration.

“Like any plan sponsor, we strive to collaborate closely with our recordkeeper on cybersecurity,” she said. “I would say it is a true partnership, where we monitor which programs they have in place and what tracking and defensive work they are doing, and they bring best practices to the table on our behalf. Something new is that we have started incorporating specific cybersecurity policies into our contracts.”

Kushner said a key step forward has been the addition of regular cyber assessments run by the plan’s independent auditor’s own expert partner. One recommendation coming out of the audit, which New York City has implemented, was the hiring of a chief information security officer. The CISO is tasked with monitoring the retirement plan system’s moment-to-moment cybersecurity footing and ensuring it is always moving toward a more secure environment.

Ironically, cyberbreaches are often accomplished via relatively low-tech means, the panel noted. An unwitting employee might click on a malicious email, and from there, it’s off to the races. The panel also stressed the importance of putting multiple layers of defense and multiple security strategies in place.

“For example, if there are large withdrawals requested, the recordkeeper should be looking at this and there should be stops in place,” Kushner said. “For example, if there is a change in banking information filed on the same day as a large withdrawal request and a change of address request are made, this needs to be flagged and reviewed. Yes, it is a bit of an inconvenience at times, but we need to ensure we are protecting our people and their assets.”