Who is responsible when a criminal empties a participant’s 401(k) account? What is a plan sponsor’s obligation to try to prevent stolen benefits and data breaches? The legal responsibilities are still being sorted out, but failure to provide adequate protection could be a fiduciary breach.
Help is available to those without the necessary expertise. The Department of Labor has issued Cybersecurity Best Practices for sponsors and recordkeepers and there is other helpful guidance on best practices available from the government and private sources. Plan sponsors and other responsible parties without internal expertise can even do rfp’s to get professional assistance.
No steps will ever provide 100% protection against breaches, but in this article for the Journal of Compensation and Benefits, Carol Buckmann discusses the state of the law, court cases in which participants have sued to get stolen benefits restored, and practical steps that can be taken by the company’s fiduciaries to better protect participants and lower the risk of loss.