Retirement committee cybersecurity awareness is now a fiduciary duty. In the wake of the recent cyber attack on the Colonial Pipeline, plan sponsors and retirement plan committees should have cybersecurity on their minds. The Colonial Pipeline is a 5,500-mile oil pipeline that supplies almost half of the East Coast’s gasoline supply. If an enormous oil pipeline can be hacked and held for ransom by cyber thieves, a 401(k) plan certainly can.
Colonial was forced to pay hackers $5 million to get control of its pipeline and get it back online. Is your retirement plan prepared to bear such a hefty sum? With cyber theft on the rise; trillions of dollars in workplace retirement plans could be at risk. The sheer magnitude of the U.S. retirement system could make an appealing target for cyber criminals. The rise in remote work and decentralized security protocols make the target even more attractive. Retirement committee cybersecurity measures should be on the minds of all retirement plan fiduciaries.
The Colonial pipeline attack notwithstanding, cybersecurity now falls within the purview of plan sponsors and retirement plan committees. ERISA lawsuits focused on cybersecurity are on the rise and plan fiduciaries should be prepared. The stakes are high, because not only are plan participants accessing their accounts electronically to monitor their savings and choose their investments, they’re withdrawing money online as well. And that’s where the real danger comes in. While verification processes are in place, they aren’t iron-clad as recent lawsuits have shown. Plan fiduciaries are now responsible for cybersecurity.
ERISA is largely silent on cybersecurity risk. (This is obvious since ERISA was penned well before the technological innovations in use today.) Retirement committee cybersecurity teams are in place at only a low number of plan sponsors. According to a recent article written by New York-based investment manager Harrison Fiduciary Group, “ERISA lawyers and consultants are now compiling detailed diligence monitoring lists to assure that recordkeepers and administrators have adopted state of the art cybersecurity capabilities and safeguards.”
The Department of Labor recently issued retirement committee cybersecurity guidance for retirement plan fiduciaries. This guidance includes tips for hiring service providers, cybersecurity program best practices, and online security tips. As cybersecurity issues heat up, it is critical for plan fiduciaries to familiarize themselves with password protection policies, electronic account access, and control testing. They must also review insurance and fidelity bond insurance coverage to ensure in-force-protection in the event of a cybersecurity breach and related losses.
ERISA requires plan fiduciaries to be “prudent experts” on all things cybersecurity. How can plan fiduciaries – specifically retirement plan committee cybersecurity teams – protect themselves in a digital age where cybersecurity-related crimes are on the rise? If your retirement committee would benefit from TPSU’s Retirement Committee Education – please click here. This includes a one-hour instructor led course for your retirement committee.
Plan sponsors and fiduciaries must think differently as their responsibilities evolve with the times. Cybersecurity is a critical risk that must be managed. Thus, best practices and protocols must be considered and put in place now, before a cybersecurity breach occurs.
To learn more about Cybersecurity and Fiduciary Breaches through The Plan Sponsor University’s complementary fiduciary Education program – click here.
Steff C. Chalk is Executive Director of The Retirement Advisor University, a collaboration with UCLA Anderson School of Management Executive Education. Steff also serves as Executive Director of The Plan Sponsor University and is current faculty of The Retirement Adviser University.