Who’s to Blame?
If a plan participant is a victim of cyberfraud, this raises a host of questions. Who provides the compensation? Who is a fiduciary in such circumstances? And what cybersecurity standards are effectively required of recordkeepers under the Employee Retirement Income Security Act? A recently filed lawsuit seeks to answer these questions and may establish some needed precedent for judging who is liable when cyberfraud occurs: The recordkeeper? The plan? Both? Another?
In recent years, there has been an increased threat of retirement plan account takeovers and fraud as criminals actively target retirement savings. To protect plan accounts, experts say, there needs to be more awareness of the threat, as well as the implementation of sufficient controls to protect retirement assets.
Awareness is growing, it seems, as consumers express concern for the protection of their personal information. A recent survey by analytics and software provider FICO found that the top consideration for opening a new financial account was “good fraud protection,” chosen by 33.1% of respondents, followed by “ease of use” and then “good value for the money.”
“Increased personalization means we all need to view cybersecurity as a responsibility,” says Ben Rizzuto, a retirement director at Janus Henderson Investors in Denver. “Recordkeepers need to have technology and training in place. Plan sponsors and advisers need to have good processes, including [for] hiring and reviewing service providers along with educating participants on the importance of cybersecurity.”
The Case
A year ago July, Paula Disberry filed a legal complaint alleging that her employer-sponsored retirement account, totaling approximately $750,000, had been stolen by fraudsters.
The plan sponsor, Colgate-Palmolive, and the recordkeeper, Alight, have decided to defend the case beyond the motion to dismiss. This could lead to a decision on the merits—a first for a cyberfraud case of this size, according to Mark Boyko, an ERISA attorney and partner in Bailey Glasser LLC in St. Louis.
Disberry was employed by Colgate-Palmolive from December 1993 to March 2004. She moved from England to South Africa in 2008 and updated her mailing address again in 2016. She tried to access her retirement account in August 2020, but her login credentials were denied. That September, she learned her entire account balance had been stolen.
In October 2021, Disberry requested a withdrawal from her account, though knowing there was no balance, the complaint says. Last April, Alight denied this request, saying her balance could not be retrieved. Disberry brought suit last July.
According to Disberry, a number of red flags were ignored. The fraudsters contacted Alight in January 2020 and asked to change her mailing and email addresses, plus her phone number. Alight mailed a personal identification number to Disberry’s home in South Africa, which, according to the complaint, the fraudsters likely intercepted. Once the thieves possessed the PIN, they were able to change her information to a different email address and phone number, registered in South Africa. Alight never tried to reach Disberry by email or phone during this process, according to the complaint.
In February 2020, the fraudsters contacted Alight’s service center to change her login credentials, and permission was granted. That March 9, they added information for a bank account in Las Vegas, although the phone number and email address remained South African. Shortly after, on March 17, they changed Disberry’s mailing address to one in Las Vegas. Alight did send notices of these changes, but it used the new, fraudulent contact information, so Disberry never saw them.
The fraudsters successfully withdrew the entire account balance on March 20, 2020, approximately two months after changing the contact information and 11 days after changing the bank information. The funds were mailed to them as a check that was cashed on March 27.
The 11-day window between the bank account change and distribution is key. Disberry alleges that Alight maintained a policy requiring itself to wait 14 days after a change in account information before processing a distribution.
The three defendants in the case—also including the Bank of New York Mellon Corp.—filed to dismiss. In December 2022, the judge dismissed the case for BNY Mellon on the grounds that it merely cut the check and was not a fiduciary for Disberry’s savings. Colgate-Palmolive’s motion to dismiss was rejected because the company is the plan sponsor and is required to monitor its service providers. Alight’s motion was also dismissed because it had discretion over whether to execute the distribution and was therefore a fiduciary.
“… at some point, there will be a fraud too big to be resolved that way. [This case] is a skirmish before a bigger battle that everyone sees on the horizon.”
The Discussion
Cases of this kind are normally settled out of court, says Kimberly Jones, an ERISA attorney and a partner in Faegre Drinker Biddle and Reath LLP in Chicago. The plaintiffs are highly sympathetic because they have lost their retirement savings through no fault of their own, she notes.
Most fraud of this sort has been handled privately, Boyko says. The use of settlements means there are no clear precedents to guide the case. However, cases such as this draw attention to industry best practices, he says.
Since fraud typically involves a relatively small amount of funds, it is often in the defendants’ interest to settle. But, Boyko says, there is a “growing sense that, at some point, there will be a fraud too big to be resolved that way. [This case] is a skirmish before a bigger battle that everyone sees on the horizon.”
Both Jones and Boyko agree that recordkeepers have to follow their own policies. The standard of prudence that has evolved from ERISA litigation is that of a “prudent expert,” Boyko says, and if a recordkeeper maintains a security policy, that means the company knew, or at least thought, it was imprudent not to follow it.
Brian Edelman, CEO of FCI Cyber, a cybersecurity firm in Bloomfield, New Jersey, says extra safeguards should be in place when first making a distribution to a new destination, such as a new bank account. He explains that a distribution to a new bank account should be considered high-risk, unlike a routine distribution to an existing account. He also says, in this case a substantial amount of information was changed within a short time frame, which would be a red flag for him. Changing login credentials plus contact information is especially dubious, since there is no logical relationship between the two, he says.
Jones admits that the criminals in this case were “highly sophisticated” and it is possible that, sometimes, nobody is at fault. If the fiduciaries do everything right, but the thieves do everything righter, can you justly hold the fiduciaries responsible, tragic though the case may be for the participant? In the absence of solid precedents, it is hard to say, though this “good fiduciary, beaten by better criminals,” is certainly not the narrative that Disberry advanced.
The SPARK [Society of Professional Asset Managers and Recordkeepers] Institute’s Best Practice Fraud Controls say a recordkeeper should verify the identity of the participant before changing login credentials and should notify participants of account activity using the contact information it has on file.