Protecting Plan Participants from Cyberthreats in the Age of Remote Working

With more Americans working from home, workers could be more vulnerable to cybersecurity threats – including their retirement accounts. Retirement Director Ben Rizzuto outlines steps plan sponsors can take to screen service providers and discusses lessons to be learned from recent cybersecurity lawsuits involving plan participants.

A study conducted by Stanford University this summer estimated that approximately 40% of Americans were working from home.1 A more recent blog post from the Federal Reserve Bank of Dallas showed that the percentage may have been closer to 25% at its height and has now dropped to around 20%.2 Either way, there’s no denying the fact that a significant portion of the workforce has been conducting business remotely for the past eight months, and that means many retirement plan participants may also be logging on to their accounts from home.

I’ve thought about this frequently during my own remote working experience, especially as the number of cybersecurity lawsuits against plan sponsors and service providers has increased.

A participant’s home Wi-Fi network provides yet another avenue through which a cyberthief can gain access to personal information, including a plan participant’s 401(k) account. While we haven’t yet seen a lawsuit result in direct connection to a work-from-home situation, I think the potential serves as a good reminder to review some of the main issues that have arisen in other cybersecurity cases.

We also just happen to be wrapping up Cybersecurity Awareness Month, which is always a good occasion to take stock of the preventative measures we can use to protect ourselves and our clients.

Abbott Labs

In this case, an unknown individual was able to compromise a participant’s plan account and make off with $245,000. The complaint described numerous interactions between the cyberthief and the plan’s recordkeeper, which started after the thief clicked the “forgot password” option on the Plan’s website, which generated an authentication code that was sent to the plaintiff’s email address. The plaintiff’s email account had already been compromised, which allowed the perpetrator to retrieve the authentication code and access the plaintiff’s Plan account. Once access was gained, the thief changed the account password and added a new, previously unassociated bank account as a distribution option.

From there, all the perpetrator had to do was wait for seven days to pass in accordance with the recordkeeper’s wait period for transfers to new accounts, after which a request to distribute $245,000 from the plaintiff’s Plan account to the new bank account was completed.

In October 2020, the court for the Northern District of Illinois dismissed claims against Abbott, stating: “[t]he complaint fails to allege any fiduciary acts taken by Abbott Labs, no less link them to the alleged theft.”

Claims against the recordkeeper will move forward, however, because in the court’s view, its actions were sufficient to “infer that it acted as a fiduciary by exercising discretionary control or authority over the plan’s assets.”3

It will be important to monitor this case to see how the court analyzes the question of recordkeeper fiduciary status, because it would be a significant departure if the court were to conclude that certain standard recordkeeper functions constitute fiduciary conduct.

Estée Lauder

In the case against Estée Lauder, a participant had $99,000 stolen in three separate transactions from her 401(k) account. The withdrawals were in different amounts and went to three different bank accounts during September and October 2016.

The participant received no confirmation letters for the withdrawals. Additionally, the system in place did not include the step of sending an e-mail to the participant notifying her of the requests before paying the money out. On top of that, two-factor authentication, which has become increasingly common, did not seem to be required in order to access account information on the recordkeeper website.

A settlement was reached in March between the parties, but details are not available at this time.4

Leventhal

One final case I’ll cover is Leventhal v. The MandMarblestone Group. This case was originally filed in 2018 after the theft of a participant’s entire account balance ($400,000). The plaintiff claims that the third-party administrator (TPA) and recordkeeper for the plan should be held under ERISA for facilitating fraudulent withdrawals from his 401(k) account by criminals who posed as the office administrator at Leventhal. This was accomplished by gaining access to a previously completed withdrawal form and then using that form to create a series of fraudulent withdrawal forms that were then sent to the TPA from the office administrator’s email address.5

What’s interesting about this case is that it has led to a counterclaim by the TPA and the recordkeeper, which was filed in May 2020, alleging that the plan sponsor/plaintiffs’ “own carelessness” with respect to their employees and computer/IT systems and policies – including their decision to permit an employee to work remotely and use personal e-mail for official employment duties – enabled the cyber-fraud and other criminal activity to occur.

Implications

What’s important to note about these three cases is that the cyberthieves are simply imposters posing as participants. They are going through many of the available channels, such as the “forgot password” button or calling the plan’s customer service line in order to gain access to information. The cases highlight just how critical it is for plan sponsors to understand how recordkeepers authenticate participants.

Sponsors should ask whether the authentication process utilizes a single factor such as a username/password combination or multiple factors. Multi-factor authentication (MFA) adds an extra layer of security on top of any existing methods of authentication. For example, a website might implement a login process that requires a user to both 1) enter a predetermined username and password and 2) verify their account with a one-time code sent via email or text message. This is key, since 81% of hacking-related breaches leverage stolen and/or weak passwords.6

Along with that, it’s important to understand what happens when participants call in to the recordkeeper’s service center. Customer call center authentication (CCCA) can combine human and machine processes, tools and technologies, and can be, according to a Forrester report on call center best practices, “invariably the channel of last resort for customers looking to get things done, but [it's] still a largely analog avenue riddled with security holes.”7

An effective CCCA process should include asking callers to verify items such as their date of birth, home address or Social Security number, but some companies may be utilizing more high-tech tools such as tokens associated with a caller’s phone or carrier, or MFA that can understand the characteristics of certain sounds that can be translated into a voice print.

These ideas highlight how important it is to carefully screen service providers and evaluate their processes to ensure they are robust and up to date. In fact, the Department of Labor (DOL) has recognized the management of third-party service providers as one of the major areas of vulnerability plan fiduciaries face.

The initial due diligence process and ongoing monitoring of these service providers should focus on answering the following questions, which are drawn from the 2016 DOL ERISA Advisory Council Report, “Cybersecurity Considerations for Benefit Plans.”8

  • What are the service provider’s processes and systems for dealing with cybersecurity threats and protection of personally identifiable information?
  • Is advanced authentication used by the company?
  • Are technology systems regularly updated?
  • Does the service provider have policies on storing personally identifiable information including where it is stored, how long it is stored, and how it is eliminated?
  • Are all personnel who come in contact with personally identifiable information trained on adequate protection of the information?
  • Does the company carry cybersecurity insurance?
  • Has the company experienced any security breaches?

Those questions will help in the selection of a service provider, but they also highlight items plans sponsors should consider including in their ongoing processes specific to cybersecurity, including:

  • Prudent selection and monitoring of third-party service providers with a process that includes investigating how personally identifiable information is protected and document the factors taken into consideration.
  • The purchase of cyber-liability insurance or inclusion of cyber provisions in existing liability policies.
  • Documentation, review and ongoing updates to cybersecurity policies to ensure comprehensiveness.
  • Education of participants to help ensure they do their part to protect themselves against cybersecurity issues – particularly when working remotely.

While cybersecurity can be a difficult subject to wrap one’s arms around based on the increasingly sophisticated methods used by hackers and the growing tactics and technologies available for providers, plan sponsors must view it as an important part of their fiduciary responsibilities. Knowing the right questions to ask and leveraging those in the industry who have the time and expertise to provide support will be key as more and more of our present and future lives move online.

 

1“Stanford research provides a snapshot of a new working-from-home economy.” Stanford News, June 29, 2020.
2“Commuting Patterns During COVID-19 Endure; Minorities Less Likely to Work from Home.” Federal Reserve Bank of Dallas, September 1, 2020.
3Bartnett v. Abbott Laboratories et al., case number 1:20-cv-02127, filed August 2020 in the U.S. District Court for the Northern District of Illinois.
4Naomi Berman v. Estée Lauder Inc. et al., case number 3:19-cv-06489, filed October 2019 in the U.S. District Court for the Western District of California.
5Leventhal, et al. v. The MandMarblestone Group LLC, et al., case number 18-cv-2727, filed May 2020 in the U.S. District Court for the Eastern District of Pennsylvania.
62017 Verizon Data Breach Investigations Report.
7“Best Practices: Customer Call Center Authentication.” Forrester Research, March 22, 2019.
8Department of Labor ERISA Advisory Council Report, “Cybersecurity Considerations for Benefit Plans.” 2016