Are Recordkeeper Security Guarantees a Fiduciary Minefield?

In an era of escalating cybersecurity threats, retirement plans face unprecedented risks of data breaches and financial losses. The Federal Bureau of Investigation’s Internet Crime Complaint Center reported $12.5 billion in potential losses for 2023 and $16.6 billion in potential losses for 2024, underscoring the urgency of robust security measures.

In response, many retirement plan recordkeepers are offering and promoting online security guarantees or fraud reimbursement programs to address unauthorized or fraudulent transactions, promising to make participants whole and reimburse them for losses that are at no fault of the participant.

While these programs may appear to provide a safety net for plan participants, they present a complex challenge for plan sponsors and fiduciaries under the Employee Retirement Income Security Act. Far from being simple supplemental consumer benefits, the security guarantees or fraud reimbursement programs that are marketed as protecting participants must be evaluated through the lens of ERISA’s fiduciary standards.

Without careful governance considerations and clear contractual language, these guarantees can create legal, operational, and oversight risks.

A particularly thorny issue arises where a recordkeeper asserts that its guarantee program is outside the scope of the services agreement or that actions taken under its guarantee (for example, reversing transactions or controlling asset flows) are settlor decisions regarding the use of plan assets, and are therefore not subject to fiduciary obligations. This article explains why these positions are legally mistaken and describes steps that plan sponsors and fiduciaries can take to mitigate the associated risk.

ERISA Framework and DOL Cybersecurity Guidance

Under ERISA § 404(a), plan fiduciaries owe duties of loyalty and prudence to plan participants and beneficiaries. Plan fiduciaries must act “solely in the interest of the participants and beneficiaries” and with the care, skill, prudence, and diligence that a prudent person familiar with such matters would use. ERISA §404(a).

Although ERISA doesn’t explicitly address cybersecurity, the US Department of Labor has made clear that cybersecurity risks are fiduciary risks, and plan service provider selection and monitoring are core fiduciary functions. In 2021, the DOL published comprehensive guidance on cybersecurity, initially for retirement plans, which emphasized that fiduciaries must take appropriate precautions to evaluate and mitigate cybersecurity risks to plan assets and sensitive participant information. Cybersecurity Program Best Practices (US DOL); see also Tips for Hiring a Service Provider with Strong Cybersecurity Practices (US DOL); Online Security Tips (US DOL). The guidance includes best practices for hiring and monitoring plan service providers and recommends regular review of their security policies and practices. In 2024, the DOL reaffirmed that these expectations apply to all ERISA-covered plans and should be part of regular fiduciary oversight. Compliance Assistance Release No. 2024-01 (US DOL).

The DOL guidance explicitly states that ERISA plan fiduciaries have an obligation to evaluate service providers’ cybersecurity practices, including fraud protection controls, as part of the ERISA duty of prudence to mitigate cybersecurity risks. The evaluation includes comparing security protocols to industry standards, reviewing past incidents, and requiring independent audits where appropriate. Fiduciaries cannot rely solely on a recordkeeper’s marketing claims or guarantees (even generous ones) without assessing actual security architecture and controls.

The DOL guidance also calls for fiduciaries to include specific cybersecurity-related terms in service agreements, such as the right to review and audit cybersecurity controls and the obligation of the service provider to provide prompt incident notifications to the plan fiduciary.

Recordkeeper Security Guarantees

Recordkeeper security guarantees typically are designed to grant recordkeepers broad, unilateral discretion to make material decisions affecting plan assets and participant rights. These security guarantees often give the recordkeeper almost total discretion in determining how the guarantee applies, such as allowing the recordkeeper to decide whether or not fraud or an unauthorized transaction occurred, having discretion in determining a participant’s level of fault, and having total control over whether and how account balances are reimbursed.

In practice, security guarantee programs drafted this way results in plan assets and participant outcomes falling squarely in the hands of the recordkeeper in these instances, without input or direction from the plan sponsor or fiduciary, removing any ability for the fiduciary to meaningfully review those decisions. This approach can undermine fiduciary governance and calls into question whether the duty of fiduciary prudence is satisfied in these instances.

Some recordkeepers have attempted to justify their unilateral actions under their security guarantees, such as plan asset reversals, by asserting that those actions aren’t covered by the services agreement or that they constitute settlor functions rather than fiduciary conduct and are therefore outside the scope of ERISA’s fiduciary obligations.

These arguments are fundamentally flawed for three reasons:

1. ERISA’s settlor/fiduciary distinction depends on function, not labels. Under ERISA, settlor functions involve plan design and aren’t fiduciary functions (such as establishing or amending plan terms). See Advisory Opinion 2001-01A. But managing, controlling, reversing or distributing plan assets are all unmistakably fiduciary actions because they concern the management or disposition of plan assets. Simply calling an asset-control decision a settlor function cannot and doesn’t make it so. When determining whether an act is a settlor or fiduciary function, courts and regulators consistently review the substance of the activity over a recordkeeper’s contractual or marketing labels, despite the contractual terms that try to disclaim fiduciary responsibility or liability.
   
2. Plan assets must be used for the exclusive benefit of participants. ERISA’s exclusive benefit rule under § 404(a)(1)(A) requires that plan assets be used only to provide benefits to participants and beneficiaries or pay reasonable plan administrative expenses. When a recordkeeper alters plan asset flow without proper plan sponsor or fiduciary authority or oversight, that action implicates ERISA fiduciary standards and may conflict with the exclusive benefit rule. For example, recordkeepers that bear the cost of reimbursements under a security guarantee may have a financial incentive to narrowly interpret coverage or unduly attribute losses to the fault of participants to minimize recordkeeper liability. As described above, such actions can’t be shielded as settlor functions simply because a recordkeeper claims they are part of a security guarantee.
   
3. Fiduciary duties can’t be contracted away. A service provider that exercises discretionary authority over plan assets is a fiduciary by function. Even if a contract with a recordkeeper purports that the recordkeeper is not a fiduciary and the contract disclaims any fiduciary obligations, contractual disclaimers do not override ERISA. As discussed above, courts will assess whether the conduct in question constitutes discretionary authority or control over plan assets. If it does, courts consistently treat the recordkeeper’s activity as fiduciary conduct, regardless of whether the recordkeeper disclaims fiduciary duty or how the contract structure or terms characterize the activity.

Using settlor function labels or defenses about who isn’t a party to the guarantee to sidestep fiduciary accountability is legally tenuous and should be a red flag for plan sponsors and fiduciaries, especially where participants may lose or regain access to the funds in their retirement plan account based on the discretion of the recordkeeper, without the plan sponsor or fiduciary’s involvement.

Fiduciary Risks with Security Guarantees

Recordkeeper security guarantees introduce several structural risks if not incorporated into enforceable contract terms between the recordkeeper and the plan sponsors/fiduciaries.

• Risk of standalone marketing feature: Security guarantees present risk of being treated as standalone marketing features without any fiduciary oversight rather than as a reviewed product with meaningful plan protections, potentially putting plan fiduciaries in violation of their duty of prudence under ERISA. This concern is particularly relevant if recordkeepers assert that their actions are settlor functions in nature and therefore immune from fiduciary standards.
  
• Misaligned incentives: Recordkeepers with an obligation to pay for reimbursements or other costs affiliated with a security guarantee may have a financial incentive to narrowly interpret coverage or unduly attribute losses to a participant’s fault to minimize their liability, potentially violating the Exclusive Benefit Rule under ERISA.
  
• Participant confusion: Participants may reasonably believe that a recordkeeper’s security guarantee is endorsed or controlled by the plan sponsor, particularly if participant communications about the security guarantee do not clearly state its limitations. As a result, denials of any claims for reimbursement under a security guarantee can lead to claims and potential lawsuits against plan sponsors and other fiduciaries for misrepresentation or insufficient cybersecurity oversight of plan service providers, increasing fiduciary exposure.
  
• Governance and administration conflicts: Unilateral recordkeeper determinations under a security guarantee may contradict and frustrate plan terms, including claims and appeals procedures or litigation strategy. Because ERISA requires plans to operate in accordance with their terms, such complications can raise numerous compliance concerns in addition to administrative issues.
  
• Oversight gaps: Reliance on a recordkeeper’s security guarantee can mask underlying cybersecurity weaknesses that fiduciaries are obligated to address proactively in accordance with the DOL’s guidance. Thus, plan fiduciaries could face liability under the fiduciary duties of loyalty and prudence for failing to protect participant personal information and plan assets.

In short, a generous-sounding security guarantee ultimately can increase fiduciary risk if marketing is substituted for governance.

Recommendations for Plan Sponsors and Fiduciaries

To manage the risks associated with recordkeeper security guarantees, plan sponsors and fiduciaries should take the following steps:

• Treat guarantees as supplemental protection, not comprehensive protection. Security guarantees should augment, not replace, the recordkeeper’s robust cybersecurity governance program. Focus on controls related to prevention, detection and response, not just reimbursement. Plan fiduciaries shouldn’t rely on security guarantees from recordkeepers in lieu of a thorough evaluation of the recordkeepers’ encryption standards, authentication protocols, access controls, incident response readiness, and other key components, including those identified in the DOL guidance.
  
• Lock cybersecurity governance into the contract. Service agreements with a recordkeeper should contain clear and enforceable terms that address:
  
  • Fraud detection and escalation protocols;
  • Plan sponsor notification requirements;
• Timing of and authority over asset freezes and reversals.
  
  • Participant communications;
  • Documentation of decisions; and
  • Audit rights.

Note: The contracts should expressly provide that the plan fiduciaries retain sole control and decision-making authority over plan assets. Proven strategies have demonstrated that this can be accomplished at any time, either at the inception of an engagement or by amendment for ongoing engagements.

• Clarify participant communications. Plan fiduciaries should review participant notices and other communications to ensure that security guarantees aren’t misrepresented as plan-level endorsements or arrangements. Plan fiduciaries also should distinguish between recordkeeper programs and commitments from plan benefits and ensure that participant communications accurately describe the limitations and any discretion over any security guarantee program.
  
• Document the fiduciary process. Plan fiduciaries should record all cybersecurity due diligence, contract negotiations, monitoring activities, and committee discussions and decisions in fiduciary committee minutes. Documentation of the fiduciary’s process is the cornerstone of demonstrating fiduciary prudence under ERISA.
  
• Seek professional expertise. Cybersecurity risk and ERISA fiduciary risk intersect in complex ways. In evaluating and negotiating contract provisions, fiduciaries should involve experts with specialized knowledge, such as technical cybersecurity experts and ERISA legal experts who are fully experienced in cybersecurity investigations and disputes as part of the vendor selection and monitoring process.

Takeaways

Online security guarantees offered by recordkeepers may offer valuable participant protection and aren’t necessarily a bad thing, but only if plan fiduciaries do more than just accept them at face value as comprehensive protection. Plan sponsors and fiduciaries must first ensure their fiduciary duties under ERISA and DOL guidance are satisfied.

When a recordkeeper exercises discretion over plan assets, such as by reversing transactions, modifying participant accounts or otherwise making decisions regarding plan assets beyond ministerial acts, ERISA fiduciary standards apply, regardless of how the action is branded or marketed.

Plan sponsors and fiduciaries should approach recordkeeper security guarantees with healthy skepticism and ensure that any program or guarantee affecting plan assets is tightly governed in accordance with applicable laws, regulations and guidance, with clear roles, transparent decision-making standards, effective oversight mechanisms, and enforceable contractual protections. Only then can plan fiduciaries satisfy ERISA’s duties of loyalty and prudence while still delivering meaningful protection to participants.

Actions speak louder than words. A security guarantee may sound comforting, but under ERISA, fiduciaries are judged by governance, not by promises.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Jorge M. Leon is Partner and Sub-Group Co-Leader of Employee Benefits at Michael Best & Friedrich, focusing on emerging fiduciary issues such as ERISA cybersecurity and litigation risk mitigation.

Leah Toro is an Associate Attorney at Michael Best & Friedrich, advising plan sponsors and fiduciaries on a variety of benefits issues, including evolving ERISA cybersecurity standards and developing innovative compliance strategies to address legal and regulatory risks.

Nate Linger is an Associate Attorney in the Labor & Employment Group at Michael Best, specializing in employee benefits and advising plan sponsors and fiduciaries on ERISA cybersecurity compliance and benefit plan administration.

Write for Us: Author Guidelines