Cyber risks have become a more significant issue in the retirement space in recent years. With many plans using multiple service providers that share large amounts of data, vulnerabilities are evident, and risks are prevalent. Both plan assets and personally identifiable information (PII) are at risk. While completely eliminating these risks is impossible, managing these risks is achievable and is essential to not only following ERISA prudence standards, but simply in serving the best interests of plan participants as well. It is important to remember that managing your cybersecurity is an ongoing process and it should not be rushed. Below, we review key preventative measures against common cyberattacks.
Improving Your Retirement Plan Governance
It is not hyperbole to suggest that you as a retirement plan sponsor must take seriously your fiduciary responsibility. This includes plan governance, such as a review of the risks that threaten the plan’s compliance with ERISA requirements, an analysis of portfolio performance vis-à-vis benchmarks and peers, and a determination of whether plan participants will have the resources necessary to meet their expected retirement income needs.
Breaking Down 3(21) vs. 3(38) Fiduciary
While most are familiar with the term, many plan sponsors are uncertain of what it actually means to be a fiduciary. In fact, a recent JP Morgan survey stated 43% of company fiduciaries do not identify themselves as fiduciaries. This reflects the fact that many plan sponsors are uncertain about what a fiduciary exactly is.
Implementing Cybersecurity Best Practices for Plan Participants
Cybersecurity has become a prevalent concern in the retirement industry. In part because the Employee Retirement Income Security Act (ERISA) holds no fiduciary functions in managing cybersecurity risk, the retirement industry is in target for cyber-attacks. Surprisingly, many plan breaches are not all due to third-party attackers; rather, it can stem from the misconduct by employees (e.g. falling for a phishing scheme, having an easy password, etc.). Thus, while it is important for plan sponsors and providers to understand the risks of cyber-attacks, plan participants should also be educated on these risks along with cybersecurity best practices.
What’s Your Fee Policy?
According to the Callan Institute, an employee benefits research and investment consultancy group, the issue of high concern for defined contribution plan sponsors is that of retirement plan fees. Specifically noted in Callan’s 2019 Defined Contribution Trends Survey, plan sponsors have identified for the third year in a row that improvements in their fiduciary standing comes from a robust and thorough review of retirement plan fees.