By: Alison J. Cohen, Esq. and Hayden Speed Herock, Esq.

Tom Ripley has been saving diligently for years into his company’s 401(k) plan.  He dreams of someday enjoying his retirement and traveling around the world.  In preparation for his annual meeting with his personal financial advisor, Tom pulls his 401(k) statement from his online account and sees that $500,000 appears to be missing.  In looking at the activity data, he sees that just last week a distribution was processed.  “What the heck?!” Tom thinks in panic.  “I didn’t request a distribution!”  He immediately contacts Marge, the Director of HR, and shows her his account statement.

Marge, fairly new to the world of 401(k) administration, is terrified.  At once, she calls her account representative at the recordkeeper, Dickie, to report the possible breach.  Dickie assures her that they will look into this, and immediately opens a ticket internally.  Freddie, the recordkeeper’s IT security contact, looks at the history of the transaction and confirms that the request came from someone who logged into Tom’s account and used his password.  Since it all looks right, Freddie tells Dickie that nothing wrong happened on their end.  Dickie emails Marge that it was a participant issue and that the ticket is closed.  Marge does nothing.

After weeks of sending emails to Marge and leaving her increasingly panicky voicemail messages, Tom engages an attorney and files a lawsuit against his company.  He never thought this would happen to him.

What Should HR have Done?

There is no question that Marge made several mistakes.  Upon receipt of the email from Tom notifying her of the possible breach, Marge should have immediately notified senior management and legal counsel.  Regardless of the outcome of the investigation by the recordkeeper, the company is the plan sponsor and fiduciary with an obligation to protect its participants.  Ignoring Tom’s inquiries just because there may have been misuse of his user ID and password isn’t right, and it’s not a surprise that Tom resorted to legal action.

Notifying the recordkeeper (and possibly a third-party administrator, if one is involved) is an immediate next step.  Marge did this, which is good, but she also should have notified her own internal IT people.  There could be a breach of the company’s system which led to the misuse of Tom’s ID and password and, until a thorough investigation is done on all sides, the source of the breach can’t be known.

Either the company’s legal counsel or Marge should also have immediately contacted their insurance carrier to determine what sort of coverage they may have that can assist in this situation.  They should certainly do that now, since they are being sued.  Although plans are required to carry a fidelity bond, such a policy is only good if an employee of the company has committed the theft.  At this point, it can’t be ruled out that that’s what happened, but usually this type of crime is perpetrated by an outside party, rendering the fidelity bond useless.  What the company really needs is coverage for either a fiduciary breach or a cyber event.  And if the company should discover that it has such coverage, the insurer will assign legal counsel and technical support to the company for the investigation and resolution.

At the very least, now that Tom has filed a lawsuit, there may be coverage to aid in the defense of the lawsuit.

It is also important to note that the company should have done its due diligence when selecting its service providers.  The U.S. Department of Labor (“DOL”) released guidelines in 2021 for plan sponsors to follow when evaluating service providers, and recently updated them in September 2024 under Compliance Assistance Release No. 2024-01.  The recent update makes it clear that these guidelines are not only for retirement plan service providers, but also for those servicing health and welfare plans.  The company has hopefully verified that its recordkeeper has strong cybersecurity practices.

Finally, when there is a cyber breach, time is of the essence.  Taking action quickly to track the money may enable it to be pulled back into the plan and can assist in identifying the thief.  Both the company and the recordkeeper should have treated the report of $500,000 of missing participant money with a strong sense of urgency.

What Should Tom do?

The DOL has compiled a list of helpful tips for individuals to reduce the risk of fraud. One of the simplest and most effective ways for Tom to safeguard his account is to regularly change his passwords and avoid using the same one twice. The DOL recommends using at least 14 characters with a mix of lower and uppercase letters, numbers, and special characters. He should also avoid using easily discoverable information, such as his pet’s name or mother’s maiden name, for his password, especially if he has shared that information publicly. Tom should also consider using a password manager app to securely store and help generate passwords.

Increasing in popularity among businesses and individuals is multifactor authentication (“MFA”). MFA requires a second method of verification to gain entrance to an account. This can be in the form of a code sent to Tom’s phone or email, a fingerprint, or security questions. Tom can utilize this as an additional layer of protection to enter his account and the system will alert him of any unauthorized access attempts.

The DOL also warns us all to be cautious when using public Wi-Fi in places like coffee shops, airports, or hotels. These networks are not secure, which makes it easier for cybercriminals to intercept data. If Tom needs to work outside the office, it is best to use his own personal hotspot or home Wi-Fi.

Phishing attacks are also a common tactic amongst criminals. These could look like an email or text requesting personal information. Tom can help prevent these attempts by contacting HR or IT whenever he sees a suspicious email to determine its legitimacy before clicking on any links or downloading an attachment. Most importantly, Tom should continue monitoring his accounts for suspicious activity. If he notices anything unusual or receives an email of an access attempt, he should change his password and notify HR immediately.

The responsibility of cybersecurity is not all on Tom’s shoulders, but he can certainly reduce his risk of falling victim to a breach by following these tips from the DOL.

Once the distribution has taken place, Tom should immediately check the mailing and email address on the recordkeeper’s system to see if this has been changed.  Of course, he should also change his password to something that complies with the DOL guidance to protect the rest of his account balance and initiate MFA on his retirement account, and other financial accounts.  Tom may have fallen victim to a larger scheme beyond just his retirement account.

Tom should run a credit report and, if he hasn’t already done so, freeze his credit with the three major credit reporting bureaus (Equifax, Experian, and Transunion) to prevent the bad actors from doing even more damage to his finances.  A credit freeze won’t prevent Tom from using his credit cards, but will prevent thieves from taking out additional credit cards or loans in his name.  He should also look to engage an identity monitoring service that can scan for misuse of his information and help mitigate any new threats.  These services are inexpensive and incredibly helpful should someone try to steal Tom’s identity.

What Should the Service Providers Do?

As a service provider, the recordkeeper should have a written policy and internal detailed procedures on how it handles any potential breach.  Freddie may not be the right IT professional to investigate the distribution and how the bad actor got into the system.  IT investigators are a specialty area and should be engaged for such an event.  Even if the bad actor got into the system with Tom’s ID and password, the investigation should be looking into other possible vulnerabilities such as:

• Was Tom’s password recently changed?
• Is there a history of suspicious voice calls?
• Did someone change Tom’s address or notification method recently?
• Were there other irregular transactions that should have given the recordkeeper pause?

The service provider should also have immediately notified its senior management and insurance carrier of the possible claim.  Failure to notify an insurance carrier as soon as a possible claim arises can void your coverage in relation to that claim.

If there is a 3(16) service provider that approves the distributions, they should have been notified and involved immediately by either the company or the recordkeeper, as they can also have potential liability.  A full investigation has to include all parties that may have access to the plan and its participant accounts, as well as anyone who could have been involved in the process that gave rise to the loss.

Communication is key.  A failure to communicate is a great way to frustrate all parties involved and end up on the wrong side of a lawsuit.  All communications should be vetted by legal counsel, because what you say is almost as important as what you don’t say.  Transparency is important to keeping client and participant trust and to protect a firm’s reputation.  If the service provider did something wrong, then it is up to legal counsel and the insurer to properly craft a settlement with the aggrieved party.

Service providers, whether TPAs or recordkeepers, should also be familiar with the DOL’s guidelines including the detailed Cybersecurity Program Best Practices.  Best practices include developing a cybersecurity program and policies, as well as ongoing training of personnel.  While the list may appear to be daunting, and potentially expensive, it is important to remember that your clients are entrusting their hard-earned retirement savings to you.  Although you may or may not be acting in a fiduciary capacity, having a tight set of procedures can prevent a service provider from being named as a defendant in a lawsuit.