On April 14th, 2021, the Department of Labor (“DOL“) issued cybersecurity guidance to plan sponsor and fiduciaries, recordkeepers and other service providers and participants and beneficiaries of plans regulated by the Employee Retirement Income Security Act of 1974, as amended (“ERISA”). The guidance is presented in three separate parts: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices and Online Security Tips for Participants and Beneficiaries.
Over the past ten years, cybersecurity has become an area of critical importance to plan sponsors, plan administrators and plan participants. With plans holding trillions in assets as well as sensitive participant information, retirement accounts have been attractive targets for cyber-enabled fraud. Plan participants are known to check their retirement account balances less frequently than personal banking, credit card or other financial accounts. As a result, there can be a delay before attacks on retirement accounts are discovered, making tracing and recovery efforts exceptionally difficult. Plans also permit electronic access to funds and rely upon outside service providers, which provide additional access points for breach. There is a growing body of litigation involving participants who have suffered retirement plan losses due to cyberattacks. Bartnett v. Abbott Laboratories, No. 20-cv-02127 (ND Ill., 2020) (motion to dismiss participant suit against plan sponsor and administrator granted, but denied with respect to third party record-keeper); Leventhal v. The MandMarblestone Group LLC, No. 18-cv-2727 (ED PA, 2019) (motion to dismiss suit by plan sponsor and participant against third party administrator denied); and Berman v. Estee Lauder, No. 4:19-cv-06489 (ND CA, 2019) (participant suit against plan sponsor, committee and third party record-keeper settled).