401k cybersecurity

Plan sponsors need to know the latest about protecting participant balances

Average reading time: 4 minutes

Protection of 401k plan participant balances against theft has become a major concern for all employer plan sponsors. What do plan sponsors need to do to meet 401k cybersecurity challenges? Read on to find out.

Who’s responsible when participant balances are stolen?

The courts are sorting that out right now – but there has been an important ruling in favor of plan sponsors. Twice, a court in northern Illinois found that a plan sponsor was not a fiduciary (and therefore not financially responsible) for the theft of a participant balance.

The Abbott/Alight case is turning out to be a landmark case on 401k cybersecurity and the responsibilities of plan sponsors and providers in protecting participant balances.

Plan sponsors hire a number of providers to work with their plans. Most are not fiduciaries under current law. Those that are fiduciaries are generally considered to be limited-scope fiduciaries, responsible only for their area of expertise.

Plan sponsors, on the other hand, have always been considered fiduciaries for all activities related to their 401k plans, without limitations.

What’s significant about the Abbott/Alight rulings is that a provider not contractually obligated to be a fiduciary (Alight) appears to be responsible for the theft of a participant balance while Abbott Labs, a fiduciary, has been determined not to be.

Abbott Labs hired Alight to provide administrative services to its plan. While providing those services, Alight authorized a fraudulent distribution of a participant balance. Alight does not consult Abbott Labs prior to processing distributions. Abbott Labs was not involved in any part of the distribution process.

Employers overwhelmingly see the logic in the court’s rulings. How could Abbott Labs possibly be financially responsible when it is not involved in the processing of distributions?

Plan administrators and recordkeepers argue that since their contracts don’t state that they are fiduciaries, they can’t be financially liable either. Right now, the court is siding with plan sponsors as litigation continues.

Employer 401k Cybersecurity Responsibilities

Outlined below are the steps plan sponsors should take to protect participant balances from cyber theft.

Review and monitor providers

As a plan sponsor, you have the fiduciary duty to review and monitor the performance of the providers you hire to work on your plan. Most plan sponsors review their providers annually.

You should ask your providers to share with you their 401k cybersecurity policies, procedures, protections and guarantees.

For example, most large recordkeepers guarantee participant balances against loss from theft —  provided the participant does a number of things (like establishing and monitoring their account, signing up for two-factor authentication, reporting any suspicious activity promptly and listing contact information).

Also, obtain from your providers their data protection policies and procedures. Some providers will fold their data security policies into their 401k cybersecurity policies, while others will have separate policies.

If your company is large enough to have an information systems department, make sure you review your provider’s cyber and data security policies with them.

Check insurance coverage

Ask your providers how much insurance they have in place to cover fraudulent payments. All insurance has limitations, so understand what those are for your plan.

Review the insurance coverage your firm has to cover fraudulent payments from your 401k plan. There certainly could be situations when your company, as a fiduciary without limitation, may be responsible for a fraudulent payment.

If your firm does not have insurance to cover these situations, make sure you add coverage as soon as possible.

Review provider contracts

Make sure that you review the contracts you have signed with your providers to determine their responsibilities — and yours — for data security and fraudulent payments.

If you signed a contract with a provider a long time ago, it is possible that it may not speak adequately to either subject. In that case, work with your provider on a new contract that contains language addressing both parties’ responsibilities.

Understand which party is responsible for a loss of data security or a fraudulent payment. Make sure that whichever party is responsible has the necessary insurance in place to cover any fiduciary breaches.

Get help if you need it

Employers can find help and guidance on 401k cybersecurity from the Cybersecurity and Infrastructure Security Agency (CISA). As an official government agency that is part of the Department of Homeland Security, much of what CISA provides is free.

If you are a small business with limited resources, additional help may be found from the Federal Communications Commission. Its website has an impressive list of resources.

This issue is evolving

Right now, these are the things that you should be doing as a vigilant plan sponsor to protect your employees’ 401k plan balances. However, much is in flux. Case law on responsibility is still evolving. Laws addressing specific 401k cybersecurity responsibilities don’t exist. There is much that has yet to be determined. Stay up-to-date to protect your participants and your company.


About the Author

Robert C. Lawton, AIF, CRPS is the founder and President of Lawton Retirement Plan Consultants, LLC. Mr. Lawton is an award-winning 401(k) investment adviser with over 30 years of experience. He has consulted with many Fortune 500 companies, including: Aon Hewitt, Apple, AT&T, First Interstate Bank, Florida Power & Light, General Dynamics, Houghton Mifflin Harcourt, IBM, John Deere, Mazda Motor Corporation, Northwestern Mutual, Northern Trust Company, Trek Bikes, Tribune Company, Underwriters Labs and many others. Mr. Lawton may be contacted at (414) 828-4015 or bob@lawtonrpc.com.

About Lawton Retirement Plan Consultants, LLC

Lawton Retirement Plan Consultants, LLC (LRPC) is a Milwaukee, Wisconsin-based independent, objective Registered Investment Adviser (RIA) providing investment advisory, fiduciary compliance, employee education, provider management and plan design services to employer retirement plan sponsors. The firm specializes in Socially Responsible Investment (SRI) strategies for retirement plans and is a pioneer in the field. LRPC currently has contracts in place to provide consulting services on nearly a half billion dollars in plan assets. For more information, please contact Robert C. Lawton at (414) 828-4015 or bob@lawtonrpc.com or visit the firm’s website at https://www.lawtonrpc.com. Lawton Retirement Plan Consultants, LLC is a Wisconsin Registered Investment Adviser.

Important Disclosures

This information was developed as a general guide to educate plan sponsors and is not intended as authoritative guidance, tax, legal or investment advice. Each plan has unique requirements and you should consult your attorney or tax adviser for guidance on your specific situation. In no way does Lawton Retirement Plan Consultants, LLC assure that, by using the information provided, a plan sponsor will be in compliance with ERISA regulations. Investors should carefully consider investment objectives, risks, charges and expenses. The statements in this publication are the opinions and beliefs of the commentator expressed when the commentary was made and are not intended to represent that person’s opinions and beliefs at any other time. The commentary does not necessarily reflect the opinion of Lawton Retirement Plan Consultants, LLC and should not be construed as recommendations or investment advice. Lawton Retirement Plan Consultants, LLC offers no tax, legal or accounting advice, and any advice contained herein is not specific to any individual, entity or retirement plan, but rather general in nature and, therefore, should not be relied upon for specific investment situations. Lawton Retirement Plan Consultants, LLC is a Wisconsin Registered Investment Adviser and accepts clients outside of Wisconsin based upon applicable state registration regulations and the “de minimus” exception.