Workplace savers who fall victim to cybercrimes find they don’t always have an easy way to get their money back as employers and service providers grapple with who is responsible.
The $19.8 trillion employer-sponsored retirement industry is ripe for web thieves, especially as portfolio management and distribution services move into line. Several high-profile federal lawsuits involving companies such as
These lawsuits also expose the extreme lengths that workers and retirees must go to to be repaired after a cyber breach. Insurance products that protect plan sponsors and service providers when they point fingers in cases of cybercrime, do not cover actual benefits central to the American workplace retirement industry, but are generally designed to cover business and legal costs. Without additional protections, advisers say, participants may have little recourse against a growing online threat.
“One of the biggest threats to pension plan assets, if not the biggest, is cyberattacks or cybercriminals,” said Kelly Gearya national leader in executive risk and cyber practice at EPIC Insurance Brokers & Consultants, a subsidiary of Edgewood Partners Insurance Center Inc., there are few opportunities for participants and beneficiaries to seek reimbursement. »
little control
Private sector pension plan decision makers are held to a strict fiduciary standard to ensure that appropriate processes are in place to mitigate risk, protect assets and do business with reputable providers.
Last year, the US Department of Labor upped the ante for plan trustees, releasing sub-regulatory orientations specifying that cyber protections were part of these routine tasks. Emerging case law has shared the blame between trustees and their vendors when crimes occur.
The real victims of these crimes do not always have a clear path to follow, said Jose Jarabenefits attorney at Fox Rothschild LLP in Morristown, NJ
“Participants and beneficiaries don’t have much control,” Jara said. “The service providers are selected by the plan sponsor and they negotiate the contracts. Participants have no say in these contracts or the terms and conditions they cover.
Plan sponsors carry fiduciary liability insurance to protect against fiduciary negligence or misconduct in the event of litigation and plan sponsors and their service providers such as record keeping firms may carry criminal liability or cyber liability insurance. insurance to protect against their own losses. But few companies take out insurance on behalf of their participants.
The Employees Retirement Income Security Act of 1974 (Pub.L. 93-406) requires plan trustees to purchase fidelity bonds that protect members and beneficiaries from insider threats when the criminal involved is their own employer or a benefits advisory board. External threats, however, are not covered.
“What is a participant supposed to do when no one but the criminal is wrong?” said Daniel AronowitzCEO and owner of Euclid Fiduciary Managers LLC.
Change in demand
Cybercrime protections do exist, but they’re not popular among pension plan trustees who are primarily focused on reducing legal threats to themselves.
The Department of Labor has suggested plan sponsors ask registrar firms about what cyber insurance they already have in place, which is a good place to start, Aronowitz said. Employers should require a multi-faceted security guarantee from their archivists, which includes both criminal insurance and cybersecurity insurance designed to protect participants against fraudulent reporting and social engineering, he said. added.
“There’s a reason you don’t hear about these kinds of egregious cyber breaches from major record-keeping financial institutions,” Aronowitz said. “It’s not that they’re not happening, it’s that they have systems in place to automatically reimburse participants long before it ever goes to court.”
Then plan sponsors themselves should consider purchasing additional insurance policies that protect participants in addition to themselves, he added.
Geary and Jara lobbied for Congress to mandate additional coverage from plan sponsors that protects participants from external threats the same way they do from their own employers. The couple is the author of a article for Bloomberg Tax’s Tax Management Compensation Planning Journal recommending swift action to bolster coverage of ERISA fidelity obligations.
“The trustees have a responsibility to manage the plan prudently,” Jara said. “This does not mean that the trustees are FBI agents. They are not responsible for protecting against crimes, especially more sophisticated crimes like cybersecurity. »