Cybercrime continues to increase and pose a credible threat both to employers and their employees. According to the FBI’s 2022 Internet Crime Report, losses caused by internet crime rose 48% in the last year to over $10.2B. 
There are four types of threats retirement plan sponsors and their participants should be concerned about:

1. Unauthorized access and acquisition of their personal data.
Over the last year we have seen a number of large data breaches impacting leading social media, telecommunications, and credit reporting businesses resulting in the disclosure of over 800M customer records¹.

2. Disruption to their business operations due to ransomware.  
A ransomware event is where a cybercriminal infiltrates an organization and encrypts their data and/or systems making them unavailable, and then issues a ransom note for the decryption key. Such ransoms can be in the millions of dollars, and potentially disable a company for weeks or months. 

3. Theft of retirement assets (fraud).
Criminals are becoming increasingly aware that most people’s wealth is in their retirement plan, not their bank account. Often plan participants don’t actively monitor their retirement accounts and have a tendency to reuse internet passwords, which makes it easier for criminals to access online accounts. Multifactor authentication options and modern fraud surveillance systems are essential here. Also, plan sponsors and participants should be aware that plan assets are not guaranteed by the government (unlike bank or brokerage accounts). Reimbursement for fraud losses can vary by employer or service provider.

4. Scams that result in the inappropriate distribution of retirement assets.
We’ve seen an increase in fraudsters impersonating government agencies and contacting employees claiming their account has been compromised and recommending they immediately move their assets to a “safe” third party account, which the fraudsters control. Periodically individuals are duped by these scams, withdrawing assets from their retirement plans and then transferring funds to third party accounts.

What responsibility does a plan sponsor/fiduciary have?

While cybersecurity is not explicitly mentioned in ERISA, the Department of Labor (DOL) has noted that plan sponsors and fiduciaries have a responsibility to help keep participants safe from cybercrime both in terms of cybersecurity and fraud protection.

In April 2021, in response to growing cyber and fraud threats to employee retirement information and assets, the DOL published cybersecurity best practices. This guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA) as well as plan participants and beneficiaries.

The guidance was issued in three forms:

1. Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
2. Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
3. Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

Even though the DOL has provided the above as guidance, plan sponsors should expect to be audited against a sample of these practices as part of standard DOL ERISA audit. In such cases, the DOL has been seeking assurance that employers have implemented appropriate due diligence over their controls and those of their service provider.

How can plan sponsors can take action? 

While threats have intensified, consistent application of cybersecurity and fraud prevention best practices can help prevent most losses. As a start, conduct due diligence on both your service providers and your own controls and ensure that protection is consistent with established industry guidance, such as those documented in the SPARK Institute’s Plan Sponsor and Advisor Guide to Cybersecurity. The DOL offers more suggestions in their article, Tips for Hiring a Service Provider With Strong Cyber Security Practices. Any service provider that processes and stores sensitive personal information should conduct annual, independent audits of their security posture and make reports available to the employer they support. 

Other key questions for the service provider include how they are positioned to respond if there is a data breach or fraud event, if they offer an account guarantee, and if so, what are the requirements of that guarantee. Have a constructive conversation with your service provider on how they detect, prevent, and respond to fraud, and how together you can help mitigate the risk to your employees.

[1] FBI 2022 Internet Crime Report.

Fidelity Workplace Services LLC, 245 Summer Street, Boston, MA 02210
© 2023 FMR LLC. All rights reserved.
1049257.2.0

Dennis Lamm, SVP, Customer Protection, Fidelity Investments