My name is John Hays and I am the newest team member at Voisard Asset Management Group. My role is focused around working with employer sponsored retirement plans to provide expert fiduciary advice as an advisor. Just a little background on my expertise, for 13 years I have worked on employer sponsored retirement plans (pension plans, 401(k), 457(b), 403(b), deferred compensation, etc.). I have advised on plans of all shapes and sizes, from start up plans to $500 million plans with thousands of participants.
In addition to understanding how the plan works, you should also be aware of how the plan you are entrusting your savings with is protecting your assets. This brings us to our first topic, cybersecurity!
One of the challenges in 2020 has been the need for increased cybersecurity measures as employees have moved outside the corporate office, which required the creation of processes to reduce risks of a cybersecurity breach. According to PwC, “55% of employers are increasing their cybersecurity budget, 51% are increasing their workforce headcount, and 50% say cybersecurity will be a part of every business decision or plan”. This is a risk we all know to be on the rise and continues to be more of a focus, especially in the retirement plan world.
As an example, in April an employee plan participant filed a complaint alleging ERISA breaches of fiduciary duty against the plan sponsor (Abbott Laboratories) and the plan’s recordkeeping and administration partner (Alight Solutions) when $245,000 was taken from their account. According to the DOL, after an investigation into Alight Solutions it was found that they had processed unauthorized distributions as a result of cybersecurity breaches relating to its participant accounts. A similar case occurred in 2019 against Estee Lauder and Alight Solutions. These are just two examples of many, but in my conversations with employers, this type of fraud is happening with increasing frequency.
The question arises, what can employers do to minimize their fiduciary duty when it comes to cybersecurity and theft of assets? And when/if plan assets are stolen, who will be held liable? To this date the DOL has yet to provide comprehensive guidance on this subject. Wagner Law Group, one of the leading ERISA Law Firms in the country, provides this valuable insight:
“Without substantive regulatory guidance and taking into account the increasing threat of cybercriminality to retirement plans, plan sponsors should establish, evaluate, and test their cybersecurity protocols. Plan sponsors might want to take a conservative approach and assume that ERISA’s duties of loyalty and prudence do indeed apply to participants’ identification data and their plan benefits in case the DOL or the courts conclude such information do constitute “plan assets” for purposes of ERISA.”
So according to Wagner Law Group, the best course of action is to adhere to the fiduciary standard that should be followed when it comes your retirement plan today. The duty of loyalty and care (acting in the best interest of participants), and the duty of prudence when making decisions on the plan should always be at the forefront.
Now you may ask, how do we do that? Wagner Law Group has provided 7 steps employers should take to protect plans from potential cybersecurity breaches, they are as follows:
- Request information from service providers with whom participant data is shared regarding their data security processes and data transmittal policies.
- Review and revise, as necessary, service agreements with the plan’s service providers and negotiate to add provisions including (i) a commitment to maintain cybersecurity insurance at a particular level, (ii) indemnification of the plan for losses, damages, expenses and lawsuits arising out of unauthorized access to participant data, (iii) an agreement to implement specified standards of cybersecurity, and (iv) an agreement as to how and when the plan sponsor will be notified in the event of a data breach.
- Review and modify, as necessary, the plan’s fidelity bond to ensure that coverage is sufficient for the potential risks, and add optional coverages for depositor’s forgery, computer fraud, and funds transfer fraud.
- Acquire cybersecurity insurance.
- Acquire or review fiduciary liability insurance to determine if it covers fiduciary breach claims related to selection and retention of plan service providers.
- Undergo a “data diet,” which involves a review of participant data that is currently shared to ensure that the minimum possible amount of data is shared.
- In the event plan services are put out to bid, ensure that the requests for proposals seek sufficient information about candidates’ data security and data transmittal policies, insurance coverage, etc.
By no means are these exhaustive or do they fit in every circumstance, but they are great steps to help reduce cyber risk for both participants and plan sponsors. Just like the plan design or investment selections, there is always a part of the prudent process that requires tailoring to each unique situation. Should you have questions while reviewing these steps or if you would like to understand how to review or implement safeguards please do not hesitate to reach out to our team at Voisard Asset Management Group.