A recent phishing incident related to a Retirement Clearinghouse (RCH) employee email account caused RCH to alert more than 10,500 individuals on May 12, 2023 that their personal data (including their names, Social Security numbers and individual retirement account (IRA) numbers) may have been breached. RCH, a fintech company, has been a leader in auto-portability of retirement accounts for participants that are subject to the small balance, mandatory cash out distribution provision of their employer-sponsored retirement plan. RCH’s service has provided a mechanism to move participants' savings into retirement plans at their new employers from their former plan accounts or safe-harbor individual retirement accounts that had been established for them as a result of mandatory cash out distributions. In 2019, RCH obtained a prohibited transaction exemption from the Department of Labor which allowed it to receive certain fees in connection with these account transfers under its program without the individual’s consent. The auto portability provision in the SECURE 2.0 Act has now codified the use of such negative consent auto-portability roll in transactions, which will increase their use. RCH reported that this recent data breach incident did not affect the network that it is establishing with large retirement recordkeepers to facilitate these auto-portability transactions, and assured that it is evaluating additional safeguards to mitigate recurrence of this type of event.

This incident is another example of the potential cybersecurity vulnerabilities lurking in the retirement plan distribution process. Given the SECURE 2.0 Act’s provisions for auto-portability transactions, as well as the Act’s provisions for an upcoming Retirement Savings Lost and Found database which will require plan sponsors to remit various types of information to this database, including information related to small balance cash-outs, plan sponsors and fiduciaries should review their current benefit plan cybersecurity policies and procedures, consider the implications of the auto-portability transactions and upcoming database, and make desired updates. These cybersecurity policies and procedures should be in place in light of the Department of Labor’s best practice guidance issued on April 14, 2021. If no policy is currently in place, there is no time like now to adopt them. For policies that are in place, further consideration should be given to any updates that may be warranted including with respect to the potential vulnerabilities in the plan distribution process. For example, procedures may require updates around (a) the verification and authentication process of participant identity in connection with distribution requests, (b) waiting periods before distributing account assets, (c) monitoring related service provider protocols and security measures, breach and response procedures, and (d) updating service agreements for indemnification, limitations of liability, insurance for cybersecurity issues, and any loss guarantees provided by the service provider. Educating employees and plan participants in cybersecurity matters related to their information and data is also critical, and plan service providers should be expected to train their employees on these matters and have appropriate controls in place as well.

Cybersecurity risk will remain, cases will continue to emerge, and security measures will continue to be updated and enhanced. It will remain crucial for plan sponsors and fiduciaries to monitor plan cybersecurity practices internally within their organization and externally among service providers periodically during the plan year; address any weaknesses; educate participants on steps they should take to protect their data, personally identifiable information and accounts; and remain vigilant.