Cybersecurity Best Practices for Plan Sponsors
Participant data and financial accounts comprise some of the most sensitive and potentially vulnerable information under a company’s care. These highly valuable assets can be an attractive target for cybercriminals and therefore present considerable security risk. Breaches to this information can be devastating to plan participants and to the reputation of the organization.
For plan sponsors, ensuring protections around participant data and investment assets is a key fiduciary responsibility. In fact, as law firm Hodgson Russ noted recently, “The causation standard under Section 409(a) of ERISA is an issue that could lead to more litigation as cyberattacks on employee benefit plans increase.” The provision states that plan fiduciaries who breach their fiduciary responsibilities are personally liable for any losses that result from the breach. The law firm continues: “Outside of the ERISA context, however, courts have looked at similar questions … [and] found that proximate cause was sufficiently alleged when a complaint contended that the defendant’s failure to establish industry-standard information security safeguards was the proximate cause of the stolen personal information.”
Sponsors should consider their potential exposure under Section 409(a), in the event of a failure to adhere to a prudent process for mitigating risk (upholding the higher prudent man standard). Earlier this year, the U.S. Department of Labor (DOL) issued guidance aimed at plan sponsors, plan fiduciaries, recordkeepers and plan participants, offering best practices for maintaining cybersecurity. The guidance is structured along three main areas of focus: service provider selection, establishment of a cybersecurity program and participant protection.
Hiring a Provider
Per the DOL, plan sponsors should perform a series of due diligence checks prior to engaging a provider. The department’s advice includes inquiring about the provider’s information security standards, practices and policies, and audit results, as well as comparing them to the industry standards adopted by other financial institutions. The DOL also recommends examining the provider’s track record in the industry — including a public records search of information security incidents and litigation related to its services — and asking about the level of security it has met and implemented, how it has responded to past security breaches and whether it carries insurance that would cover losses due to a cybersecurity incident.
Implementing a Cybersecurity Program
For establishing and maintaining an effective program, the DOL points to best practices prepared by the Employee Benefits Security Administration (EBSA). The agency’s advice includes having strong access control procedures as well as an effective business resiliency program addressing business continuity, disaster recovery and incident response. It also recommends conducting periodic cybersecurity awareness training and an annual third-party assessment of security controls.
Because participants and beneficiaries can fall directly within cybercriminals’ attack vector, DOL’s guidance also offers tips aimed at helping retirement account holders reduce the risk of fraud and loss. For example, the DOL advises that participants routinely monitor their online account, create strong passwords and use multi-factor authentication. Other recommended precautions include signing up for account activity notifications and exercising caution with regard to use of free, publicly available Wi-Fi networks.
Defending Against Cyberthreats
Cybersecurity breaches have become increasingly prevalent in the modern world and have added another layer of complexity for plan sponsors. Given the current regulatory and legal climate, it’s more important than ever to stay abreast of changes in a dynamic
risk landscape — and partner with an advisor and service providers who can help mitigate the risks and keep plan participants’ data and assets safe from cyberthreats.
To view the full DOL guidance, visit the department’s website [https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity]
When It Comes to Planning for Retirement, Participants Want to Hit the Easy Button
According to J.P. Morgan’s 2021 Defined Contribution Plan Participant Survey findings, more than half of the 1,281 respondents indicate that they:
- Are presented with more plan information than they can absorb.
- Don’t read investment information provided to them.
- Are willing to spend time planning for retirement but just don’t know where to start.
Nearly three-fourths of participants under 30 think employers should provide access to financial professionals and coaching to help them. Even more telling, 62% wish they could push an “easy button” and completely turn over retirement planning to someone else. This figure is up from 55% in 2016.
What’s fueling these worrisome trends? Perhaps the added complexity of living during a global pandemic has left workers less time and energy to focus on managing retirement planning. Moreover, 24/7 financial reporting on every market twist and turn may make navigating financial landscapes even more daunting. With seemingly endless media coverage of bitcoin surges and day trader-generated run-ups on stocks like GameStop — more may have come to believe that investment decisions are simply best left to professionals.
Financial wellness is arguably a “must-have” benefit for plan sponsors and participants alike. But sponsors can give employees an additional tool for the assistance they’re looking for — target date funds (TDFs), which can alleviate workers from many burdens of investment-making decisions.
Nonetheless, easing that burden can come at the expense of a certain degree of customizability. After all, just because two employees have the same planned retirement date, it does not guarantee they’ll have similar risk tolerance.
A solution to this problem is adding a TDF with a multiple glidepath construction to your investment menu: one that offers aggressive, moderate and conservative options. This allows participants to enjoy the simplification of retirement plan decision-making while maintaining more control over their level of investment risk — all within a single TDF.
A TDF with multiple glidepaths solves the “once-size-fits-all” limitations of traditional TDFs. Participants simply select the closest year in which they expect to retire and then choose the glidepath that most closely aligns with their personal risk tolerance — as well as the amount of risk needed to accomplish their retirement goals.
Retirement Income Participant Interest Surveys: A Contrarian View
Retirement income products can serve an important purpose as a participant investment option for retirement plans. Surveys gauging participant interest in these options may be open to interpretation, especially when the survey is conducted by a retirement income vendor.
A survey conducted by well-known and respected JP Morgan gauged participant interest for a retirement income product that could be meaningful to many retirement plan participants. Retirement income vendors have increased marketing efforts for their retirement income product bolstered in part by employee surveys affirming interest. It is prudent for plan sponsors to look critically at survey conclusions when evaluating potential benefits of any new product for your retirement plan participants.
The JP Morgan survey conclusions are similar to those of others.1
- “There is notable variability in participants’ expected retirement age and style. The mean age when respondents expect to retire is 64.7, with 51% planning a gradual move into full retirement.”
“Notable variability” in participant expected retirement ages is not surprising. Many plans have average employee age well under 40. Younger employees may often hope to retire early without careful evaluation of financial planning targets. Some may have done considerable research while others may just be hoping or guessing. Plan sponsors may not find this particularly helpful. The mean expected retirement age of 64.7 is not surprising and not specifically supportive of annuitization.
- “Most are concerned about outliving their money and unsure about how much they need to save for retirement. Nearly 7 out of 10 respondents are concerned about outliving their money in retirement.”
Again, this conclusion is expected and understandable as 7 out of 10 (at least) should be concerned about outliving their retirement. Also, there is little difference between uncertainty of how much they need to save for retirement in lump sum or lifetime income as an annuity can always be purchased at point of retirement, if they so choose. “Dollar cost averaging” into annuities (rather than a single sum purchase) however may be beneficial as annuity rates change over time as does life expectancy.
- “Many would welcome a post-retirement income option in their plan. A large majority of respondents (85%) say that they would likely leave their balances in their plans post retirement if there was an option to help generate monthly retirement income.”
Again, no surprise here. Most participants would probably agree that a lifelong retirement income would be a good thing. Even assuming a relatively significant $1 million account balance, the typical retirement income fund would only generate $23,800 in annual income. (https://www.morningstar.com/articles/958275/what-are-retirement-income-funds-do-you-need-one)
At first glance the above survey conclusions may reflect an implied interest by participants for a retirement income option, however evidence of impending substantial deferral commitments is uncertain.
The question becomes how many participants would actually select to defer into a retirement income option, and at what percentage of their total deferral amount? Considering the proliferation of articles on plan interest in adopting retirement income options the actual adoption rate is not as high as expected, and little is available substantiating the significant utilization of these options by participants.
This does not mean that these options may not thrive in the future. On the contrary, they may certainly be appropriate for retirement plans. Consider the similarity with auto-enrollment, when first offered, was met with less than tepid acceptance and now it is ubiquitous among retirement plans. And for very good reason.
1 Additional JP Morgan survey information can be found at https://am.jpmorgan.com/us/en/asset-management/adv/insights/retirement-insights/defined-contribution/plan-participant-survey/post-retirement-plans
Time for a Financial Check Up
With the season changing and life ever pulling us forward, you may want to take into account life changes that may affect your financial goals.
Account for Changes in Your Personal Life
Have there been any changes this past year with your family, personal, or financial life? If life changes have occurred, you may want to conduct the following:
- A beneficiary designation review (qualified plans, IRAs, life insurance, etc.)
- Reviewing the titling of assets (bank accounts, brokerage accounts, property, etc.)
- Update estate planning documents (wills, trusts, power of attorney, guardianship, etc.)
- Update insurance coverage (life, health, long-term care, disability, etc.)
Updating Your Goals
Review the following list to see what adjustments may need to be made:
- Have your long-term savings goals changed (e.g., target retirement income, target retirement date)?
- Have your intermediate-term savings goals changed (e.g., vacation home, college savings, etc.)?
- Has your ability to save changed (e.g., change in income or expenses)?
- Have you set any new financial goals?
Prepare for the Unexpected
It’s highly recommended to have an emergency fund that can cover your expenses for at least three to six months. These assets can be cash, a savings account, a money market fund, or other assets that can be accessed quickly.