“Who is liable when cyber theft occurs?” is a featured question in the Spring 2023 edition of PLANADVISER magazine, citing the cybersecurity responsibilities of retirement plan recordkeepers and sponsors to protect participants.
The article aims to educate readers on strengthening cybersecurity based on insight gained from the Disberry vs. Colgate-Palmolive ERISA cybersecurity lawsuit in which over $750,000 was stolen from a retirement account.
The suit alleged that the recordkeeper, Alight Solutions, did not adhere to security protocols to prevent the theft. Fraudsters impersonating the plan participant contacted the recordkeeper to request a change of mailing address. Subsequent paperwork including a personal identification number was intercepted and utilized by bad actors to change login credentials and add a new bank account. The fraudsters then withdrew the entire contents of the retirement account.
Brian Edelman contributed that “extra safeguards should be in place when first making a distribution to a new destination, such as a new bank account” and that “distribution to a new bank account should be considered high-risk, as opposed to a routine distribution to an existing account.”
The cyber lawsuit shines a spotlight on the need for cybersecurity safeguards and security policies to be in place and enforced by retirement plan fiduciaries.
PLANADVISER, Spring 2023