Date: March 14, 2024Attorney: Gary S. Young

Gary S. Young, Partner in the Corporate, ERISA, and Employment Practice Groups at Mandelbaum Barrett PC, and Patrick A. DaSilva, a Law Clerk at Mandelbaum Barrett PC authored an article for the New Jersey Law Journal.

In today’s rapidly advancing digital landscape, innovations like artificial intelligence, quantum computing, and the expansive reach of the internet have transformed our lives and workplaces. However, alongside these advancements, the proliferation of cyberattacks poses a significant threat to individuals and organizations across various sectors. From businesses to hospitals, schools, and government entities, cybercriminals target a broad spectrum of institutions, with private sector retirement accounts emerging as particularly attractive targets. This trend raises concerns for plan sponsors operating under the purview of the Employee Retirement Income Security Act (ERISA).

ERISA, enacted in 1974, established fiduciary responsibilities for those entrusted with managing retirement plans. Designed to safeguard the interests of plan participants, ERISA sets a stringent standard of conduct for plan sponsors, administrators, and trustees. Yet, as the digital landscape evolves, cyberattacks have become a pervasive threat, challenging the efficacy of ERISA’s framework.

Recent data underscores the urgent need for bolstered cybersecurity measures within retirement plans. With private sector pension plans holding approximately $9.3 trillion in assets as of 2018 and cybercrime losses reported at $6.9 billion in 2021 by the Federal Bureau of Investigation, the scale of the challenge cannot be overstated.

Legal precedents, such as Disberry v. Emp. Rels. Comm. of the Colgate-Palmolive, underscore the potential liabilities faced by plan sponsors in the aftermath of cyberattacks. “There has been increasing recognition that the fiduciary duties imposed under ERISA apply fully to cyberattacks targeting retirement accounts,” writes Gary S. Young, a Partner in the Corporate, ERISA, and Employment Practice Groups at Mandelbaum Barrett PC, and Patrick A. DaSilva, a Law Clerk at Mandelbaum Barrett PC.

Acknowledging the seriousness of the situation, the Department of Labor (DOL) issued guidance in 2021 to aid fiduciaries in addressing cybersecurity risks. This guidance advocates for proactive measures, including rigorous vetting of service providers, conducting comprehensive risk assessments, and implementing robust cybersecurity training programs.

Active participation from plan participants is also encouraged in safeguarding their retirement accounts. By remaining vigilant against suspicious activities and adhering to best practices outlined by the DOL, participants can contribute to a collective effort to fortify cybersecurity defenses.

While the DOL guidance provides valuable insights, stakeholders must tailor their strategies to suit their unique circumstances. By adopting a proactive stance and investing in robust cybersecurity protocols, plan sponsors can mitigate the risks posed by cyberattacks and fulfill their fiduciary obligations.

In conclusion, the threat of cyberattacks presents formidable challenges for fiduciaries overseeing retirement plans. However, by staying abreast of developments, implementing prudent measures, and fostering collaboration, stakeholders can effectively navigate these challenges and safeguard the financial well-being of plan participants.

To read the full article, click here: Cyberattacks and the Role of Fiduciaries Under the Employee Retirement Income Security Act | New Jersey Law Journal