The Importance of Cybersecurity Measures in Benefit Plan Operations

In an era where digital threats are escalating, benefit plans—including 401(k)s, pensions, and health savings accounts—have become prime targets for cybercriminals. These plans contain immense amounts of sensitive personal and financial data, thereby making cybersecurity not only a technical concern but also a fiduciary responsibility. 

Why Cybersecurity Matters for Benefit Plans 

Benefit plans offer: 

• Personally identifiable information (PII) 

• Financial account details 

• Employment and compensation records 

A single security breach can result in identity theft, financial fraud, and substantial reputational harm. For plan sponsors, the consequences may include legal liability and increased regulatory scrutiny. 

Plan Sponsors and Third Parties: Shared Responsibility 

Plan Sponsors 

Despite outsourcing plan administration, sponsors retain ultimate responsibility for data protection. Essential measures to ensure data security include: 

• Performing comprehensive vendor due diligence 

• Reviewing cybersecurity policies and audit reports 

• Ensuring contractual safeguards and breach notification protocols 

Third-Party Providers 

Vendors such as recordkeepers and custodians must implement: 

• Multi-factor authentication (MFA) 

• Data encryption (at rest and in transit) 

• Consistent penetration testing 

• Incident response and recovery plans 

The Impact of Weak Cybersecurity 

Recent cyberattacks have disrupted benefit plan operations, resulting in: 

• Delayed contributions due to ransomware 

• Unauthorized distributions from compromised accounts 

• Class-action lawsuits and regulatory investigations 

These incidents highlight the need for proactive cybersecurity governance. 

Legal Case Examples 

Several notable legal cases illustrate the repercussions of cybersecurity breaches: 

• Disberry v. Colgate-Palmolive (2022): A retired employee sued Colgate-Palmolive after a hacker drained over $750,000 from her 401(k) account. The lawsuit alleges that plan fiduciaries failed to implement adequate cybersecurity measures, violating their ERISA duties. 

• Abbott Laboratories v. Estée Lauder (2014 – 2024): Both companies faced lawsuits from retirees who claimed unauthorized distributions were made from their retirement accounts due to lax cybersecurity. These cases were settled, highlighting the financial and reputational risks of weak controls. 

• Walsh v. Alight Solutions LLC (2022): The U.S. Department of Labor (DOL) investigated Alight Solutions, a major third-party administrator, for cybersecurity breaches that led to improper plan distributions. The Seventh Circuit upheld DOL’s authority to investigate such breaches, even when the service provider is not a fiduciary. 

• Giannini v. Transamerica Retirement Solutions (2021): After a 2021 data breach exposed his personal information, a plan participant sued Transamerica, alleging failure to protect sensitive data. The case underscores the growing legal exposure for benefit administrators. 

Best Guidelines for Enhancing Cybersecurity Measures 

Organizations should take measures to secure benefit plan data: 

Essential Cybersecurity Measures 

1. Evaluate Vendor Risk: Review SOC 2 reports and verify cybersecurity certifications. 
2. Employee Training: Educate HR and benefits personnel on phishing prevention and secure data management practices. 
3. Enforce Access Controls: Apply least privilege access and monitor user activity. 
4. Develop an Incident Response Plan: Customize breach response protocols to benefit plan data. 
5. Consider Cyber Insurance: Ensure coverage includes benefit plan-related breaches. 

Advanced and Strategic Practices 

1. Conduct Regular Risk Assessments: Evaluate internal and external threats, and update controls accordingly. 
2. Implement Endpoint Detection and Response (EDR): Monitor and respond to threats across all devices accessing plan data. 
3. Encrypt Backups and Store Them Offsite: Ensure backups are secure and regularly tested for recovery. 
4. Establish a Cybersecurity Governance Committee: Include HR, IT, legal, and compliance to oversee cybersecurity strategy. 
5. Monitor Regulatory Guidance: Stay up to date with DOL, IRS, and ERISA cybersecurity recommendations. 
6. Perform Simulated Attacks (Red Team Exercises): Test your defenses with ethical hacking and penetration testing. 
7. Review and Update Policies Annually: Ensure cybersecurity policies reflect current threats and technologies. 

Regulatory and Fiduciary Considerations 

The Department of Labor (DOL) states that under ERISA, cybersecurity is a fiduciary duty. Failing to implement prudent cybersecurity measures could expose plan sponsors to liability for breach of duty. 

Effective cybersecurity controls are important for protecting benefit plan data and maintaining operational continuity. By implementing comprehensive protections and ensuring third-parties compliance, plan sponsors can meet their fiduciary responsibilities and maintain trust with plan participants. 

How Can Our Unique Perspectives Assist You? 

MJ’s Risk Advisory and IT Consulting team can help guide you through implementing robust cybersecurity controls, monitor shifting regulatory guidance, and evaluate third-party compliance. With our solutions, you can proactively protect plan data and uphold fiduciary responsibilities.