Editor’s Note: This article is written from a non-legal perspective.
While cybersecurity is always a principal concern for organizations, the breadth of fraudulent activity has increased during the COVID-19 pandemic.
A recently filed Employee Retirement Income Security Act of 1974 (ERISA) case concerning Abbot Laboratories and 401(k) account administrator, Alight Solutions, LLC, raises a variety of issues about the safety of 401(k) plan participant account assets and the proper allocation of financial responsibility when account assets are stolen.
The following discusses the various cases, recent Department of Labor (DOL) guidance, general cybersecurity issues and suggestions for the various parties.
Overview of Abbott Labs Case
- Original Decision: On Oct. 2, 2020, the Northern District of Illinois ruled on motions to dismiss a lawsuit arising out of the theft of $245,000 from participant account of Heide Bartnett, 59, of Darien, Illinois, a retired former employee of Abbot, in the Abbott Laboratories Stock Retirement Plan (the Plan). The plaintiff alleged that the plan sponsor Abbott Laboratories (Abbott Labs), an Abbott Labs officer who served as the Plan’s named fiduciary and administrator (Administrator), and the Plan’s recordkeeper Alight Solutions, LLC (Alight) breached their fiduciary duties under ERISA in failing to prevent the cyber theft.
- Additional Ruling: On Feb. 8, 2021, the Northern District of Illinois again dismissed fiduciary breach claims against Abbott Labs marking the second time the court has dismissed claims against Abbott Labs
Facts of the Case
- First, the cybercriminal clicked the “forgot password” option on the Plan’s website, which generated an authentication code that was sent to the plaintiff’s email address.
- Then, having already compromised the plaintiff’s email account, the cybercriminal retrieved the authentication code and used it to successfully access the plaintiff’s Plan account.
- Next, the cybercriminal changed the account password.
- The cybercriminal then added a new bank account as a distribution option for the account funds. After seven days had passed in accordance with Alight’s wait period for transfers to new accounts, Alight complied with the cybercriminal’s request to distribute $245,000 from the plaintiff’s Plan account to the new bank account.
The court ruling had to sift through the fiduciary status of each of the defendants, and the holding concluded that Alight was the only defendant sufficiently alleged to be a fiduciary. As such, all claims against Abbott Labs were dismissed but the claims against Alight could move forward.
What Does ERISA Provide?
ERISA sets out comprehensive standards of conduct for those who manage an employee benefit plan and its assets. In addition to a specific person being named in the plan document, a fiduciary is defined in ERISA as someone who:
- Exercises discretion over the management of the plan or authority over plan assets;
- Renders investment advice for a fee or other compensation, directly or indirectly; or,
- Has discretion over plan administrative issues.
Fiduciaries must discharge their duties solely in the interest of the plan’s participants and exclusively for the purpose of providing benefits to plan participants and beneficiaries. Among other things, this includes selecting and monitoring plan investments, monitoring plan costs for reasonableness, and overseeing and properly documenting plan administration. These responsibilities bring with them potential liability.
The duty to act prudently is one of a fiduciary’s central responsibilities under ERISA. It requires expertise in a variety of areas, such as investments. Lacking that expertise, a fiduciary will want to hire someone with that professional knowledge to carry out the investment and other functions. Prudence focuses on the process for making fiduciary decisions.
ERISA provides that whether a fiduciary has acted in a prudent fashion is a matter of process, not substantive outcome. For example, plan fiduciaries are not responsible for investment losses if the decisions to select and monitor the investment were prudent. The same analysis could apply to a plan service provider, if, despite its generally ministerial duties, its conduct with respect to the withdrawal of funds from a participant’s account was fiduciary in nature.
Clearly, hiring a service, like Alight, is a fiduciary function and prudence must be followed in the selection and monitoring process. On the point of prudence, the ruling notes that a plaintiff who brings a breach of fiduciary claim, including one based on imprudence, must allege “action that was objectively unreasonable.” Specifically:
“Although she claims that the Abbott defendants were imprudent for hiring Alight, the incidents referenced in her amended complaint occurred after Alight was first offered the job. Indeed, Alight was hired in 2003, and the first incident identified by [plaintiff] occurred in 2013. The court cannot infer that the Abbott defendants breached their duty of prudence by hiring Alight in 2003 based on events a decade later. To be sure, [plaintiff] also argues that the Abbott defendant breached their duty of prudence by renewing Alight’s contract in 2015. But [plaintiff’s] claim still fails, because the incidents that pre-date Alight’s rehiring do not give rise to the inference that renewing Alight’s contract was objectively unreasonable.”
The court similarly rejected the arguments based on the duty to monitor. The court indicated that the specific allegations failed to address whether the Abbott defendants monitored (or failed to monitor) Alight’s performance, in accordance with the Plan. Of interest, the court did recognize that Abbott owed “a fiduciary duty to Bartnett,” the ruling found that the complaint failed to allege any facts that indicated a breach of that duty and dismissed those claims as well. The court reasoned that Alight operated the 401(k) plan website and Bartnett did not claim that Abbott knew of unauthorized attempts to access her account. The court also dismissed the Plan as an improper defendant in a breach of fiduciary duty claim.
From a non-legal perspective, the main questions involve what steps did Abbott take to review any and all procedures regarding Alight’s TPA functions and duties, including any reviews of the cybersecurity setup and monitoring?
- The court noted that the complaint alleged, “far more than legal conclusions concerning Alight, including repeated actions taken by Alight related to the Retirement Plan and its assets, including, most importantly, the disbursement of $245,000 in plan assets.”
- Alight argued that it was not a fiduciary because it performed only “ministerial functions” related to plan administration. The court disagreed, noting that the complaint provides sufficient allegations to infer that Alight acted as a fiduciary by exercising discretionary control or authority over the plan’s assets.
Under ERISA, if a fiduciary breaches his or her fiduciary duty, he or she is responsible for any loss resulting from the breach. But when does a loss result from a breach? This is the issue of relationship. From a general perspective: is there some form of negligence by the plan participant as a contributing factor to the loss?
Assume a plaintiff can establish that the plan fiduciary or the service provider had not taken action to prevent a loss. Could the two other defendants argue that it was plaintiff’s negligence that was the proximate cause of the loss, so that even if one of the other parties may have breached their fiduciary duty, no loss resulted from that breach?
Enter the Department of Labor
To answer that question, keep in mind that the DOL has been historically reluctant to have a plan participant bear the burden of a preventable loss. A judge may take a similar sympathetic approach, but this type of cybersecurity issue has not been addressed by the DOL until recently.
Several months ago, the DOL issued guidance to plan fiduciaries and service providers on issues pertaining to cybersecurity. The guidance also detailed plan participant obligations as well.
The guidance was in a very different format (e.g., not regulations, nor a Field Advisory Bulletin, or not an information letter), but a detailed list of actions for each of these three categories of persons to take. This may reflect the complex issues involved and the increased number of cybersecurity investigations by DOL.
This guidance is very detailed including as a best practice, recommending that service providers review access privileges at least every three months rather than as reasonably necessary or conduct an annual penetration test. It would seem appropriate for plan fiduciaries and service providers to comply with these recommended best practices, as this would contain appropriate standards of best practices that would assist in defending potential lawsuits. It would be interesting to see how this guidance is viewed and if it is challenged on the grounds that the DOL does not possess the necessary expertise in this area to provide guidance. We expect additional guidance on these issues to be completed in the near term.
Plan Sponsor Action Plan
Plan sponsors should develop a cybersecurity reporting framework through which service organizations communicate about their cybersecurity risk management programs. Specifically, plan sponsors need to ask appropriate questions, conduct due diligence, evaluate service provider risk management programs, determine potential risks, and take action necessary to protect plan assets and plan data. Plan sponsors need to secure sensitive data and therefore evaluate the cybersecurity protocol of their service providers. Consider the following:
- Cybersecurity Policy. Plan sponsors should design and develop a cybersecurity policy and conduct recordkeeper due diligence to assist them in satisfying their fiduciary duty to secure and keep private participants’ information. Plan sponsors should also seek specific cybersecurity program representations from their TPAs that confirm the existence of a cybersecurity framework to protect confidentiality, secure participant information, and guard against unauthorized access. It may not be enough to simply rely upon the results of the TPA’s independent audit of the internal controls relating to the service organization’s technology system and recordkeeper practices.
- SOC 1 vs. SOC 2. Plan sponsors using service providers that have received a System and Organization Controls 1 (SOC 1) may incorrectly conclude that they have no cybersecurity issues. However, the SOC 1 report addresses internal controls over financial reporting — not a much broader-entity cybersecurity controls and risk. A SOC 2 report is designed to provide assurances about the effectiveness of controls in place at a service organization that are relevant to the security, availability, or processing integrity of the system used to process clients’ information, or the confidentiality or privacy of that information. Companies that use cloud service providers use SOC 2 reports to assess the risks associated with third party technology services. These reports are issued by independent third-party auditors.
The following illustrations with statistics are featured in the Acrisure Cyber Insurance guide. Cowden is an Acrisure Partner.
Employers Should Review Cybersecurity Procedures
Bartnett’s complaint in the Abbott Labs case and similar lawsuits confirm that cyber theft of retirement plan accounts is on the rise, aided by the remote working environment caused by COVID-19. As such, plan fiduciaries should review cybersecurity procedures maintained internally and by service providers. Such a review includes ensuring that distribution request processes are designed to catch suspicious activity and quickly alert participants of any account changes — including accessing the account from a new device, changing a password, adding a new bank account, and, of course, making a distribution request. With such large sums of retirement funds on the line, fiduciaries and service providers must ensure that protective procedures are not only in place but also being followed. A practical solution to this dilemma may be the purchase of insurance to cover this type of loss, even though cybersecurity insurance is relatively expensive and may have a high deductible.
Cybercriminals duping entities into transferring what they believe are legitimate payments to fraudulent bank accounts is becoming an increasingly common problem. Most cyber insurance policies with crime coverage in place will provide some form of protection for situations where policyholders lose money in this way. Purchasing this type of insurance — even at a high price — would appear to be a prudent step.
About the Author
Elliot Dinkin is the president and CEO Cowden Associates, Inc.