Administration April 10, 2019

Retirement Plan Cybersecurity Disclosure to Make Everyone Satisfied

Retirement plan sponsors want to know their service providers are taking steps to protect participant data, but providers are concerned about releasing confidential information.
Reported by
Art by Doris Liou

“There  is  no  comprehensive  federal  regulatory  scheme  governing  cybersecurity  for  retirement plans in the U.S.,” states a white paper issued by the Pension Research Council and The Wharton School, University of Pennsylvania. “Likewise, there is no comprehensive federal scheme that covers their service providers.” 

The paper, authored by Tim Rouse, executive director of The SPARK Institute in Simsbury, Connecticut; David Levine and Allison Itami, principals at Groom Law Group in Washington, D.C.,;and Ben Taylor, senior vice president and defined contribution (DC) consultant in Callan’s Fund Sponsor Consulting group, based in the San Francisco office, notes that the Employee Retirement Income Security Act (ERISA) is silent on data protection in the form of electronic records, and U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function.

Get more!  Sign up for PLANSPONSOR newsletters.

However, as more cybersecurity attacks are reported in the media, it is an issue at the top of many minds in the retirement industry. In 2018, the ERISA Advisory Council asked the Department of Labor (DOL) to provide guidance on how plan sponsors should evaluate the cybersecurity risks they face and to require them to be familiar with the various security frameworks used to protect data as well as to build a cybersecurity process. Earlier this year, lawmakers sent a letter to the Government Accountability Office (GAO) asking it to examine cybersecurity in the U.S. retirement system. The letter identifies 10 questions the lawmakers would like the GAO to answer, following its examination.

There are some steps retirement plan providers are taking to relieve retirement plan sponsors about the risk of cybersecurity threats to participant accounts. According to Wendy Carter, vice president and defined contribution director in Segal’s Washington, D.C. office, and a vice-chair of the Data Security Oversight Board for The SPARK Institute, all companies have insurance to make participants whole if their account balances are accessed and taken.

Itami says cybersecurity insurance is an evolving area—a growth opportunity for insurers. Plan sponsors usually first go to their errors and omissions (E&O) insurance provider to ask if they have it, she says, but they may need to find a broker to help find it.

Plan sponsors obviously have a fiduciary duty under ERISA to protect participants’ retirement assets, but is participant data a plan asset? According to the white paper, a conservative approach would be to treat participant data as such and take prudent steps to protect it.

Issues with evaluating cybersecurity processes of providers

Carter says retirement plan sponsors are concerned about how they can ensure that recordkeepers have robust cybersecurity processes to protect all the personal information they hold about participants. However, providers are concerned about providing information about their cybersecurity practices, and that their efforts would be for naught because hackers could get access to the information they reveal.

These concerns are why The SPARK Institute came up with a framework for cybersecurity disclosure by plan providers. It includes 16 identified critical data security control objectives, and requires plan providers to use an independent third-party auditor. Each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.

Those 16 control objectives are:

  • Risk assessment and treatment;
  • Security policy;
  • Organizational security;
  • Asset management;
  • Human resource security;
  • Physical and environmental security;
  • Communications and operations management;
  • Access control;
  • Information systems acquisition development;
  • Incident and communications management;
  • Business resiliency;
  • Compliance;
  • Mobile;
  • Encryption;
  • Supplier risk; and
  • Cloud security.

Itami explains that the framework is trying to reach the goal of providing a format for plan sponsors to look at different providers and compare apples to apples. “A plan sponsor can take the approach of asking the 16 questions, but that is not efficient, and they might run into resistance about giving detailed information that could be used by hackers,” she says.

With the SPARK framework, an outside auditor will write a report analyzing how recordkeepers address the 16 controls. “They will lay out a provider’s process without going into details. For example, the report may say, ‘Provider A uses X encryption,’” Itami says.

She adds that the report shows plan sponsors a provider has something in place and whether it looks rigorous or not. “The vast majority of plan sponsors are not cyber experts, so it’s helpful if an auditor has asked the questions,” she says.

Carter says the auditor’s report will also identify whether any issues have come up with a provider, whether it was a significant risk and whether it has been corrected.

What plan sponsors should ask of providers

Itami says plan sponsors can ask prospective providers whether they have had an independent audit of cyber controls and to see the report. If they don’t have one, the plan sponsor can ask for one.

In addition, according to Carter, plan sponsors should have specific cybersecurity information in their contracts with providers, including information about any insurance provided.

“My plan clients are very concerned about cybersecurity and knowing auditors are looking at this specifically makes clients feel more comfortable,” Carter says.

A note about data retention

A post from Joseph J. Lazzarotti, a principal at law firm Jackson Lewis, says B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, Social Security numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997.

He said ERISA includes specific record retention requirements. “For example, persons who are responsible for filing plan reports must ‘maintain records to provide sufficient detail to verify, explain, clarify and check for accuracy and completeness.’ In addition, ERISA requires employers to maintain sufficient records to determine benefits due to employees. Because employees may not retire for many years after accruing benefits under the pension plan, plans need to maintain records until plan participants retire and the records must be sufficient to determine benefits under the plan,” he wrote.

He cited the 2016 ERISA Advisory Council report of considerations for the DOL, which said plan sponsors and service providers should:

  • Retain only the data that is needed; if certain data elements can be redacted, remove them;
  • Maintain an inventory of records that are retained regardless of format, and where to find them;
  • Outline a clear process for moving records, and track location and inventory during the move; and
  • Delete records that are no longer needed; confirm service providers have done so, as applicable.
“Of course, no set of safeguards for protecting personal information will prevent all kinds of compromises to it. Mistakes happen, so employers and plan administrators should be prepared by developing and maintaining incident response plans and practice them,” Lazzarotti said.
Investing April 1, 2019

Lessons From 403(b)s When It Comes to LDI in DC Plans

The analog of defined benefit liability-driven investing on the defined contribution plan side is the discussion of in-plan guaranteed retirement income.
Reported by
Art by Red Nose Studio

Aaron Meder, CEO of Legal & General Investment Management (LGIMA), has spent about a decade working on the topic of liability-driven investing (LDI), predominantly on behalf of the firm’s defined benefit (DB) plan clients.

Meder initially joined LGIMA back in 2010 for the express purpose of building out the firm’s LDI capabilities, essentially from scratch. He worked as a one-man LDI team for three years before moving to take on an expanded role in London. Two years ago, Meder returned to the U.S. to take the job of CEO, and since that time, LDI has remained a big focus.

Get more!  Sign up for PLANSPONSOR newsletters.

“The biggest difference in the LDI space, comparing 2010 versus today, is how complex and multifaceted this topic has become,” Meder says. “Back then, we were talking about LDI as the idea of pension plans moving core fixed-income holdings to longer-duration fixed income, and encouraging them to use a performance benchmark with a longer duration profile that more closely resembled a pension’s investment horizon—for example, long government credit.”

Moving away from core fixed-income is an important first step, but over the last 10 years, LDI has become much more about analyzing liabilities and responding to these, Meder says. Pensions and their advisers still run long credit portfolios, but they have taken additional steps to create a truly tailored solution against a clients’ unique projected liabilities.

According to Meder, LDI in today’s context can lead to more significant changes in pension investing behavior than one might imagine. As the conversation around “DC LDI” intensifies, it is reasonable to think the same might be true one day for DC plan investing.

A big part of this conversation will naturally revolve around in-plan annuities, Meder says, but that’s not the whole story, especially given the regulatory uncertainty that many plan sponsors say holds them back from more fully embracing the offering of annuities in DC plans. Practically speaking, in the near term, Meder says using LDI in DC plans could also mean doing a reevaluation of the fixed-income investments offered. Just like DB plans have reconsidered holding a basic core fixed-income portfolio, which does not match their liability duration, and instead have embraced longer-duration fixed income, DC plan investors may consider doing the same, Meder says.

“Once you redefine what retirement income looks like, you start to redefine what the fixed-income portfolio looks like,” he explains, “including in target-date fund glide paths. In my opinion, the next 10 years is going to bring a massive shift from core fixed-income in DC plans to something that looks more like LDI, just like we saw in the DB plan market.”

One important caveat, Meder points out, is that LDI strategies must be informed by a plan sponsor’s goals for the DC plan. In other words, an LDI approach will look differently based on whether the DC plan is designed to be the main source of retirees’ income, or if it is supplemental.

“Full income replacement is not the goal of every DC plan,” Meder said. “Many are designed to be more supplementary in nature. The defining of goals is an important discussion to have when thinking about LDI, both for DB and DC plans.”

Learning from 403(b) plans

Reflecting on the topic of DC LDI, Patrick Rowan, senior managing director, retirement income strategies and products, TIAA, says there are a lot of ways that 403(b) plans are starting to look more like 401(k) plans in terms of streamlining administration. But the discussion of DC LDI, he says, is one area where 401(k) plans are actually (if slowly) moving to look more like 403(b) plans.

“One of the ongoing changes we are seeing in 401(k) plans, as an example, is that the qualified default investment alternative [QDIA] regulations have had a big impact on the entire market,” Rowan says. “At TIAA, because we believe annuities are key for a secure retirement, we have developed custom portfolios that qualify as QDIAs and include TIAA traditional annuities. We’re excited about this offering and are advocates for guaranteed income in DC plans.”

Rowan, like Meder, sees in-plan annuities as a core component of making DC LDI a reality.

“So, on the pension LDI side, the objective is to have the liquid cash flow in hand when you need it to pay your pension liabilities,” Meder said. “It’s really kind of the same idea on the DC side—a successful outcome is about having sufficient money available when you need it and for as long as you need it. Pension plans are managing this goal for a whole population of people, while DC plans are serving individual account holders.”

Rowan adds that, besides individuals’ sequence of returns risk, LDI strategies in DC plans have to consider longevity risk as well.

“It’s the main risk, in a sense,” Rowan warns. “Half of men who are 65 today will live to age 85, and a third will live to be 90. Women have better longevity projections than that. So longevity is a real and growing factor that people need to think about.”

Importantly, both Rowan and Meder say “retirement is always going to be tricky.”

“So often, life takes over and forces people to retire earlier or later than they planned,” Rowan says. “It’s often driven by emotion or personal situations. Say a spouse is ill, or work has become a grind or you get laid off. For these reasons, it is so important to plant the seeds about saving for a retirement paycheck earlier in the career path, as is the case with 403(b) plans. Thinking about the potential role of annuitization should begin early in one’s savings journey.”

Structuring a sustainable and individualized retirement paycheck is not going to be a focal point today for Millennials, but, Rowan says, younger savers can and should take small steps over time to address their multifaceted retirement liability. Baby Boomers and Generation X may be more open to this discussion and taking practical steps in the near term.

DC LDI will take time

According to Rowan, annuities have long been the bedrock investment underpinning 403(b) plans, but annuities are only in about 5% of 401k plans, and utilization with even these frontrunner plans remains low.

“We feel like that is largely because plan sponsors believe they lack sufficient fiduciary protections, not because they don’t see the importance of creating retirement paychecks instead of lump sums,” Rowan says. “I’m not a government relations expert, but I know that there are various proposals out there that would ease the offering of annuities, and we are hopeful that one or more of these will eventually pass. Our clients are also very hopeful about this.

“Until recently,” Rowan continues, “the 401(k) was always looked at as supplementary. Today, this has changed, and so I think the retirement income conversation will change quite rapidly. The whole retirement space is grappling with this change from accumulation only to addressing both growth and spending/income.”

From TIAA’s perspective as a provider of annuity products, Rowan says, it’s quite natural that the firm would see annuitization of DC plan assets as a pathway to LDI. Importantly, the firm advocates for partial annuitization with high-quality institutionally priced products.

“It’s a common misconception that when you buy an annuity, this means turning your whole asset base into a guaranteed income stream,” Rowan said. “In reality, annuitization is flexible. We generally see a recommendation from advisers that only, say, 40% of the portfolio be annuitized as a means to address longevity risk and sequence of returns risk. This subtlety often gets overlooked.”

«