Can employers face liability when a cyber-attacker steals funds from an employee's individual 401(k) account?

Retirement plans face increased risks for cyber-attacks resulting in theft of plan assets. Few entities can keep up with the pace set by cyber-criminals for theft from accounts, and security requirements for industries protecting funds change often and rapidly. When hackers steal plan funds through individual participants' accounts, what responsibility does the employer have for the theft?

Employers are the sponsors of these retirement plans, and their roles cause them to be plan fiduciaries, meaning the employers have a fiduciary responsibility to all plan participants to protect the plan's assets. Employers typically relegate the management and handling of those plans to third-party providers. Despite this, the employer, who is the plan sponsor, remains a fiduciary of the plan and its participants, meaning the obligations regarding the plan operations and the duty to protect plan assets continue to rest with the employer. 
Many plan participants – the employees – do not maintain the security protections that are recommended in this day and age. Some employees may even choose not to set up their online accounts, preferring to rely on the quarterly reports they receive in the mail rather than monitor their account online. This invites the question – what liability does a plan sponsor face for failing to insist the individual participants implement security measures to protect their accounts? Presumably, most employers utilize the security protocols of their third-party provider; further, most employers leave details of the security measures of a particular participant's account up to the individual participant. 
Could a court someday hold an employer responsible for an external theft from an individual participant's account? It is an interesting question that has not yet been resolved to the authors’ knowledge, but it is one that all plan sponsors need to consider as they determine how to address security for plan participants. 
Ideas for addressing this concern in a preventative way include:

  1. Plan sponsors may need to require employees who participate in employer-provided retirement plans to implement and update their accounts' security measures more frequently.

  2. Further, employers should take extra care when the plan alerts the employer to an employee's distribution request – consider whether the employer should take steps to ensure that the employee actually requested the distribution. While certainly, an employee is responsible for being on alert to any inquiries about distributions from their plans not initiated by them, when faced with liability as to a theft from a plan, employers may face responsibility for the processes they put in place to protect against thefts.

  3. Employers assisting employees with distribution forms could ensure the employee intended to request a distribution and should document that assurance in the event they do so.

  4. Employers can also put other protections in place to assist in recovering a participant's asset in the event of theft. Employers are required to have fidelity bonds protecting those plans from internal loss of assets but should consider investing in insurance protecting from external attack on plan assets to provide an avenue of relief for any impacted participant.

  5. Finally, employers relying on the assistance of third-parties for the administration of any 401(k) plan should ensure they have a strong indemnification agreement with the provider in the event that the provider fails to follow proper security measures, resulting in any theft from the plan.

The Employee Benefits Security Administration issued guidance in 2021 which is helpful to those employers who are sponsors of their 401(k) plans and provides tips for hiring a service provider and other best practices.
If you have questions about your plan liabilities as an employer or other workplace-related matters, please contact Chris Gantt-Sorenson or Mac McLean.