After Cyber Crime, Workplace Savers Face Long Odds to Get Repaid

Workplace retirement savers who fall victim to cyber crimes are finding they don’t always have an easy way to get their money back as employers and service providers grapple over who’s responsible.

The $19.8 trillion employer-sponsored retirement industry is ripe for web-based thieves, especially as portfolio management and distribution services shift online. Several high-profile federal lawsuits involving companies such as Abbott Laboratories Inc., Colgate-Palmolive Co., and Estee Lauder Cos. Inc. have shed light on the millions of dollars retirement savers are losing.

Those lawsuits also are exposing the extreme lengths to which workers and retirees must go to be made whole after a cyber breach. The insurance products that protect plan sponsors and service providers when they point fingers at each other in the event of a cyber crime don’t cover the actual benefits at the center of the US workplace retirement industry, but are usually designed to cover business and legal costs. Without additional protections, advisers say, participants may have little recourse against a growing threat online.

“One of if not the biggest threat for retirement plan assets are cyber attacks or cyber criminals,” said Kelly Geary, national executive risk and cyber practice leader at EPIC Insurance Brokers & Consultants, a subsidiary of Edgewood Partners Insurance Center Inc. “This is an incredibly lucrative target for criminals to go after, but, absent suing the company you do or used to work for, there are few avenues participants and beneficiaries have to be repaid.”

Little Control

Private-sector retirement plan decision-makers are held to a strict fiduciary standard to ensure that appropriate processes are in place to mitigate risks, safeguard assets, and do business with reputable vendors.

The US Labor Department last year upped the ante for plan fiduciaries, issuing subregulatory guidance making it clearer that cyber protections were part of those routine duties. Emerging case law has split blame between fiduciaries and their vendors when crimes do occur.

The actual victims of those crimes don’t always have a clear path forward, said José Jara, an employee benefits attorney at Fox Rothschild LLP in Morristown, N.J.

“Participants and beneficiaries don’t have much control,” Jara said. “The service providers are selected by the plan sponsor, and they negotiate contracts. The participants don’t have any say on those contracts or the terms and conditions they cover.”

Plan sponsors purchase fiduciary liability insurance to protect against negligence or fiduciary misconduct in the event of litigation and sponsors and their service providers such as recordkeeping firms may purchase criminal liability or cyber insurance to protect against their own losses. But few companies purchase insurance on behalf of their participants.

The Employee Retirement Income Security Act of 1974 (Pub.L. 93-406) requires plan fiduciaries to purchase fidelity bonds that protect participants and beneficiaries from internal threats when the criminal involved is their own employer or benefits advisory panel. External threats, however, aren’t covered.

“What is a participant supposed to do when no one but the criminal is in the wrong?” said Daniel Aronowitz, managing principal and owner of Euclid Fiduciary Managers LLC.

Demand Change

Benefit protections for cyber crimes do exist, but they’re not popular among retirement plan fiduciaries focused on curtailing legal threats against themselves first and foremost.

The Labor Department has suggested that plan sponsors ask recordkeeping firms about cyber insurance they already have in place, which is a good place to start, Aronowitz said. Employers should demand a multifaceted security guarantee from their recordkeepers that includes both criminal and cybersecurity insurance designed to protect participants against fraudulent deferrals and social engineering, he added.

“There’s a reason you don’t hear about these kinds of flagrant cyber breaches from major recordkeeping financial institutions,” Aronowitz said. “It’s not that they aren’t occurring, it’s that they have systems in place to automatically pay back participants well before it goes to court.”

Next, plan sponsors themselves should consider taking out additional insurance policies that protect participants in addition to themselves, he added.

Geary and Jara have pushed for Congress to mandate additional plan sponsor coverage that protects participants from external threats the same way they are from their own employers. The pair authored an article for Bloomberg Tax’s Tax Management Compensation Planning Journal recommending swift action to bolster ERISA fidelity bond coverage.

“Fiduciaries have a responsibility to manage the plan prudently,” said Jara. “That doesn’t mean fiduciaries are FBI agents. They’re not in the business of protecting against crimes, especially more sophisticated crimes like cybersecurity.”