Administration March 22, 2021

Sponsors Should Have a Plan in the Event of a Cyberattack

It could be helpful to hire a third-party specialist to do a risk assessment of the handling of participant data.

Reported by

While the Department of Labor (DOL) hasn’t issued formal guidance on the responsibilities of retirement plan sponsors to protect against cybersecurity threats, there are commonsensical protections plan sponsors can put in place nonetheless, according to Employee Retirement Income Security Act (ERISA) attorneys.

Sponsors need to be actively thinking about cybersecurity protections and have a plan of action in the event of a breach, Ed Redder, a partner in the employee benefits and executive compensation group at Thompson Hine, tells PLANSPONSOR.

Get more! Sign up for PLANSPONSOR newsletters. 

“If a plan fiduciary only starts thinking about this once a breach occurs, they will be behind the eight ball,” Redder says. The first thing sponsors need to do to protect their plan participants’ data is examine their vendors’ contracts and internal processes in the event of a breach, he adds. “Sponsors must build out agreements with their providers to delineate the responsibilities between the parties should a data breach occur.”

Layna Rush, a shareholder with Baker Donelson and head of the firm’s data incident response team, also says any party that could be impacted by a cybersecurity breach must have an incident response plan.

“If the sponsor’s vendors are handling personal information or protected information, then the sponsor must ask them how they would handle a breach and walk through a tabletop exercise to determine how their vendors would react,” she says. “They need to give prior consideration to their contracts with their vendors to ensure that they are adequately prepared.”

Rush also recommends plan sponsors have a third-party specialist do a risk assessment and identify their biggest risk. “You can’t always do everything at once to address risk. Instead, come up with a mitigation plan to address those risks in order of importance and then set a schedule to go through them all,” she says.

Should a breach actually occur, the plan sponsor “needs to find out which participants were impacted, which data elements were compromised, when the breach occurred and what steps have or will be taken to mitigate the impact of the breach,” Redder says.

After that, the plan sponsor must determine if the government, media or participants need to be notified under the governing laws and coordinate with the vendors to ensure that duplicate notifications are not issued, as any repetition could be confusing and potentially irritating to participants and result in mixed messages, Redder says. Each state has different laws on cybersecurity breach and/or privacy breach notifications, so a company operating in several states needs to be on top of this, which an ERISA attorney can assist with, Redder says.

Many vendor contracts include indemnification clauses that may apply in the event of a breach, Redder says.

“I have also seen many large recordkeepers include ‘theft guarantees’ for participants so that if the participant follows certain protocols the recordkeeper spells out for protecting their account, and the account is hacked anyway, the recordkeeper will make their account whole,” Redder says.

The sponsor should determine if any of the company’s insurance policies cover cybersecurity breaches, and, if so, the next step is notifying these insurers that a breach has occurred, Redder says. “The benefit of doing that is many insurers can provide helpful resources to resolve a breach and help protect the sponsor’s rights as well,” he says.

A plan sponsor must act quickly in the event of a breach, says Adam Levin, founder of Cyberscout. “Getting your response right may keep a really bad situation from becoming an ‘extinction-level event.’”

Once all of this has been solved, Levin says the sponsor should ask the vendor in question what steps will be taken to mitigate the breach and what will be done to stop it from happening again.

The bottom line, Rush says, is that “sponsors need to give cybersecurity protection a lot of forethought to ensure their vendors adequately protect their participants’ data with strict security measures. Sponsors must do their due diligence on the front end to look at their vendors’ policies.”

Levin adds: “The best practices for sound cybersecurity protections are more or less universal across industries and organizations. Sponsors need to invest in cybersecurity protections and nurture a culture of privacy and security—from the mailroom to the boardroom. They need to hire qualified IT [information technology] staff, use the most up-to-date security software, train employees to recognize the telltale signs of phishing and other suspicious behavior, have a robust cyber-incident insurance policy in place and use secure methods to transmit sensitive information and data. Finally, they need to vet and continuously monitor their vendors.”

You Might Also Like:

Compliance | May 3rd, 2024

How Should a Plan Sponsor Respond to a Data Breach?

Given the recent data breach at J.P. Morgan, plan sponsors should evaluate their recordkeepers’ cybersecurity practices and ensure there is...

Benefits | December 29th, 2023

EBSA’s Lisa Gomez Talks DOL 2024 Agenda

The Department of Labor keeps working to implement provisions of 2022’s SECURE 2.0 Act alongside further rules for retirement and...

Compliance | December 13th, 2023

Report: DOL Information Security Needs Improvement

An audit of the Department of Labor’s program determined it is ineffective.

Investing March 22, 2021

Rebalancing Can Be an Important Tool for DB Plans During Volatile Market

J.P. Morgan’s proprietary analysis of the 100 largest corporate pensions reveals several lessons defined benefit plan sponsors can learn from last year.

Reported by

Rebecca Moore

The 2020 funded status of the 100 largest corporate defined benefit (DB) plans by assets rose only slightly as double-digit equity returns were offset by a decline to record-low discount rates, according to a proprietary analysis conducted by J.P. Morgan Asset Management.

The report, written by Michael Buchenholz, head of U.S. pension strategy, institutional strategy and analytics, reveals the benefits that came from rebalancing liability-driven investing (LDI) portfolios during the market volatility of last year. He first points out that for plan sponsors to have meaningfully rebalanced into risk, they would have needed a two-way glide path permitting re-risking or an investment team with wide discretion; the ability to quickly raise liquidity, in the portfolio or from the sponsor; and the capacity and ability to conduct transactions on short notice.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news. 

To illustrate the potential benefits of reallocating, J.P. Morgan took a simple 50%/50% LDI portfolio and estimated returns under different rebalancing policies. Without any rebalancing, the sample portfolio—50% MSCI All Country World Index (ACWI), 40% U.S. long credit and 10% U.S. long Treasuries—earned 15.2%, a bit better than the top 100 plans’ average return of 14.2%. Rebalancing monthly back to target allocations earned an additional 80 basis points (bps), while rebalancing just once at March 31 earned an additional 225 bps.

Buchenholz notes that hedge portfolios are still the focal point of most LDI strategies, but he suggests that corporate DB plans might have put up an illusory line of defense with corporate credit.

“One of the most pernicious adversaries of hedge portfolio effectiveness is credit defaults and downgrades, generating fixed income losses and liability increases as higher yielding bonds exit the pension discount curve universe,” the report says. “Corporate bond hedges become … sources of vulnerability.”

However, in late March, the Federal Reserve’s announcement of policy measures, including primary and secondary market corporate bond-buying programs, helped drive long corporate spreads down from a peak of 360 bps on March 23 to about 230 bps by the end of April. Buchenholz says these downgrades, in addition to leniency from credit agencies, might be keeping liability valuations artificially depressed. He adds that the proprietary analysis found less than 10% of fixed income portfolios are allocated away from traditional investment grade credit and Treasurys to hedge diversifiers such as mortgage loans, securitized assets and emerging market debt.

The report notes that employer contributions into DB plans surged in the fourth quarter of 2020. Buchenholz says it’s understandable that DB plan sponsors waited for economic conditions to stabilize before committing mostly voluntary contributions to their plans, but cash infusions tend to be most valuable during periods of economic stress. J.P. Morgan examined contribution scenarios with varied timing and fund allocation and found that the best opportunities were contributing to fund equities in March. This would have returned almost 50% or cost roughly 68 cents to buy a dollar of end-of-year assets.

Taking the lessons from the past year, J.P. Morgan recommends that re-evaluating glide path triggers and bands while permitting re-risking can set plans up to take advantage of future market dislocations.

The firm also suggests that corporate DB plans fortify their hedges with diversified exposures such as securitized assets.

In addition, DB plans should consider alternative assets. “As expected returns have continued to fall, alternative asset classes have an increasingly important role to play in generating returns, diversification and income. By taking stock of intermediate-term liquidity needs like benefit payments and potential risk transfer transactions, corporate pension plans can better understand their tolerance for illiquid assets in the portfolio,” the report says.

The full report may be downloaded from here.

You Might Also Like:

Deals and People | February 18th, 2025