Securing Retirement: 401(k) Plan Cybersecurity

By Brenna Clark and Brittany Edwards-Franklin August 27, 2019
Securing Retirement: 401(k) Plan Cybersecurity

​Retirement plan participants are becoming increasingly reliant on online platforms, including mobile phone apps, to access and monitor their 401(k) plan accounts. At the same time, these types of online platforms are increasingly susceptible to data breaches and sophisticated fraud schemes. Given the vast amounts of money in U.S. 401(k) plan accounts, it seems almost inevitable that there will be a successful, large-scale attack on retirement plans soon.

401(k) plans have become prime targets for two specific types of attacks:

  • Theft of participants' sensitive data, which could ultimately lead to identity theft.
  • Theft of participant money through fraudulent online transactions.

Currently, there is no comprehensive federal statute specifically addressing retirement plan cybersecurity obligations. The Employee Retirement Income Security Act of 1974 (ERISA) is silent on data protection in the form of electronic records, and courts have not yet decided whether participants' sensitive data is a "plan asset" that is subject to ERISA's fiduciary standards.  However, there is an increased interest in these types of issues at the state, federal and international levels, and ERISA does impose certain standards of care on plan fiduciaries:

*Fiduciaries owe a duty of loyalty to plan participants and must discharge their duties solely in the interest of plan participants and beneficiaries. Ignoring online threats could potentially violate this duty.

*Fiduciaries must act prudently, with the care, skill and diligence that similarly situated fiduciaries might use. If various cybersecurity protections have become standard practices for plan fiduciaries, then a fiduciary risks breaching this duty if it fails to implement similar safeguards.

At a minimum, plan fiduciaries should be taking some steps to guard electronic access to both monetary assets and sensitive participant data, and they should periodically re-evaluate best practices as technology evolves. Below are some proactive steps plan fiduciaries can take to protect participant data and account balances:

• Education. Plan fiduciaries should educate themselves about the types of potential security threats and learn strategies that third-party service providers and other employers are implementing to prevent cyberattacks. While plan fiduciaries do not have to understand the exact mechanics behind these threats, they should know enough to ask intelligent questions and understand market practices.

Similarly, plan fiduciaries should consider drafting educational materials or hosting employee training sessions to educate participants on steps they can take to safeguard their retirement assets. This is essential, because regardless of the protections third-party service providers or employers put into place to prevent fraud and cyberattacks, individual participant behavior creates the most risk. Participant education efforts should:

  • Explain the dangers of sharing passwords, never changing passwords, or using passwords that are too simple.
  • Educate participants about the evolving security measures recordkeepers have available to help protect their accounts. These might include dual factor authentication, automatic account lock features, or voice recognition software.
  • Recommend that participants periodically monitor their accounts (including the importance of receiving and reviewing account notifications), so that they are able to mitigate any damage in the event their account is compromised. Many participants set up their 401(k) plan accounts and forget about them, so they may not notice fraudulent transactions on their accounts for months.

At that point, the window for taking any mitigating actions has often closed. This is particularly true for plans with large numbers of participants who have been auto-enrolled and may not even understand that they have an account balance.

• Negotiate cybersecurity protections. Plan fiduciaries should negotiate and periodically revisit cybersecurity provisions in service agreements. Contractual provisions might address: (1) maintenance of a security program that meets accepted industry standards; (2) obligations in the event of a breach; (3) liability in the event of a breach; (4) the plan fiduciary's right to audit the service provider's practices; and (5) the ability to renegotiate cybersecurity provisions as technology and threats evolve.

• Service provider monitoring. It is important to remember that although employers may hire third-party service providers to administer and handle participant accounts, plan fiduciaries are still required to provide prudent oversight. As a result, plan fiduciaries should make an effort to understand the steps their service providers are taking to protect participant data and account balances. They should question service providers about their practices in handling sensitive plan data and what they are doing to prevent breaches. This can be done as part of the initial hiring process, but plan fiduciaries also should receive periodic updates or reports on these practices so that they can effectively monitor their service providers. 

• Understand internal risks. Cybersecurity is often viewed as a service provider issue rather than an employer obligation. However, plan fiduciaries should review the employer's own practices for exchanging participant data and account information. For example, the manner in which human resources personnel transmit information to the 401(k) plan recordkeeper or other service providers could leave the employer vulnerable to an attack. Additionally, if the employer's anti-virus software or firewall is out of date, sensitive information could be accessed.

As one component of prudent plan administration, plan fiduciaries should document these efforts to safeguard retirement plan information and assets. Documentation could include records of negotiated service agreement terms, participant education materials, and periodic reports from service providers. As the scope of plan fiduciaries' cybersecurity obligations becomes more clearly defined, obligations will evolve, and plan fiduciaries will want to demonstrate their ongoing efforts to prudently administer retirement plan assets.

Brenna Clark and Brittany Edwards-Franklin are attorneys in the Atlanta office of law firm Eversheds Sutherland.



Hire the best HR talent or advance your own career.


SHRM LegalNetwork members can quickly connect with attorneys on an unlimited number of topics for a low monthly fee.

SHRM LegalNetwork members can quickly connect with attorneys on an unlimited number of topics for a low monthly fee.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.