Compliance June 27, 2023

PSNC 2023: Cybersecurity Best Practices for Plan Sponsors

Experts note the importance of participant education and reviewing insurance held by vendors.

Reported by

In talking about the risk faced by retirement savings plans from digital attacks, Larry Crocker, founder and CEO of Fiduciary Consulting Group, referred to famed bank robber Willie Sutton.

“When asked why he robbed banks, what was Willy’s response?” he asked an audience at the PLANSPONSOR National Conference in Orlando, Florida, last Thursday. Sutton’s retort, as noted by Crocker, was: “’That’s where the money is!’”

Retirement plans, Crocker told the audience of plan sponsors, are a target today because that is where so much wealth is held by American savers. It is therefore crucial for retirement plan committees—and their advisers—to engage in cybersecurity discussion and reviews as an ongoing part of their work, experts said during a panel session.

From left to right, Larry Crocker, Daniel Esch and Percy Lee. Photograph by Matt Kalinowski

As a guiding document, plan sponsors and advisers can start with the Department of Labor’s 2021 cybersecurity guidance, said attorney Percy Lee, of Ivins, Phillips & Barker, Chartered. This guidance is not law, Lee noted, but it is intended to guide fiduciaries on what regulators would look for in an audit.

The DOL advises plan sponsors to carefully vet third-party retirement service providers in terms of their digital standards and history, Lee said. Sponsors should have a review process that considers any record of cyber incidents, what a vendor’s response would be if they experienced a breach, and whether the firm’s cyber insurance covers the service provider, as well as any third party they are using, Lee said.

These conversations, while convenient when choosing a provider, should continue on a regular basis, Lee noted. “Part of your fiduciary governance is to maintain that conversation and to have regular fiduciary meetings and to hear reports from your providers, especially plan recordkeepers who have access to your plan assets and data,” Lee said.

Crocker noted that the DOL document for service provider reviews is two pages, the participant review handout is two pages and the employer document is four pages—alluding to the fact that employers bear the biggest cybersecurity burden.

“As this environment has changed, hopefully your items on your retirement plan committee have changed,” he said. “Hopefully there has been an extension to members of IT [to join the plan committee].”

Daniel Esch, a senior vice president and financial adviser with CAPTRUST, confirmed that since the DOL 2021 guidance, he has seen retirement plan committees add cybersecurity to their agendas and focus areas.

One thing Esch said he finds surprising when working with companies is that they often are not aware of the rate at which participants have—or have not—logged in and authenticated their retirement accounts. He said some companies show statistics of 50% to 60% of their participants having never gone in to set up their accounts, in part due to the growing practice of automatic enrollment.

“Those [accounts] are just sitting ducks for the cyber criminals to attack, because they take over the account authentication process extremely easily,” he said. “One of the very first things we advise plan sponsors on is looking at what percentage of your participants have authenticated their accounts overall.”

Esch also advised that retirement plan committees send communication to participants, whether from the plan sponsor or the recordkeeper, talking about good habits or “good hygiene,” as it relates to protecting participant data.

Esch noted that CAPTRUST helps with recordkeeper evaluations with the largest 15 or so providers. “100% of the clients that I work with want this report and will document it in their [committee meeting] minutes,” Esch said.

Fiduciary Crocker went on to list a few resources that plan sponsors and advisers can try for information and services—some, paid some unpaid—on cybersecurity. That list included: The Cybersecurity and Infrastructure Security Agency, part of the United States Department of Homeland Security; KnowBe4, a firm that provides cybersecurity training to employees; and the Centre for Fiduciary Excellence, which provides cybersecurity certification for firms.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter. 

You Might Also Like:

Opinions | March 27th, 2025

DOL Cybersecurity Guidance and Health and Welfare Plan Gaps

All benefit plans must follow the U.S. Department of Labor’s cybersecurity guidance, not only retirement plans, writes a partner at...

Compliance | March 21st, 2025

Voluntary Fiduciary Correction Program Improvements Take Effect

The Employee Benefits Security Administration’s updated self-correction tool launched this week.

Compliance | March 7th, 2025

Terminated EBSA Probationary Employees Reinstated

The probationary employees and head of the Department of Labor’s Division of Employee Ownership, who were recently terminated, reportedly received...

Benefits June 27, 2023

PSNC 2023: Addressing the Health Care and Financial Benefits Tradeoffs

Expert panelists discussed ways employers can strike a balance between offering a variety of health care benefits and mitigating rising costs.

Reported by

Remy Samuels

Left to right, Brea Dantin, Stephanie Ulrich, Sarah Haflett. Photograph by Matt Kalinowski

As the cost of health care continues to rise, many employers are finding it increasingly difficult to offer a robust total rewards benefits package to their workers, according to expert panelists at the PLANSPONSOR National Conference last week in Orlando, Florida.

Health care costs and budgets are starting to eat into other benefits that employers offer, including financial wellness, student loan benefits, retirement contributions and more, said Sarah Haflett, director of health care thought leadership and research at Fidelity Health.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news. 

“We’re seeing this intersection of health and wealth really at play,” Haflett said. “There’s really no way that we can look at health and financial wellness separately. They really need to be addressed together.”

In a recent employer health benefits survey, Fidelity found 62% of health benefits leaders said their organization has projected an increase in their health care budget for 2023. On top of that, Haflett said 40% of employers reported they are making adjustments to their retirement contributions and other benefits because of the rising cost of health care.

“It’s really starting to crowd out other spending,” Haflett said. “We also see it really impacting employers’ ability to even fund current business priorities. … We’re coming to a point where some critical decisions have to be made around health benefits. … Are we actually getting a return for what we’re investing in? Are we seeing improved health outcomes? How can we curb this spending, not just for ourselves, but for our employees as well?”

At RoyOMartin, a manufacturer of wood products with facilities in Louisiana and Texas, Stephanie Ulrich, a benefits accountant, said that to mitigate the cost of health care, the firm decided to open its own clinic and pharmacy for its employees within the past few years.

Ulrich explained that one of RoyOMartin’s companies employs the physicians and nurses, with nurses stationed at every RoyOMartin location. Employees who see any of these physicians or nurses are not charged any fees, and they can also get prescriptions at a reduced cost.

“We don’t want our employees going to a doctor’s office and spending hours in a waiting room or, worse, going to the ER and spending 10 hours,” Ulrich said. “[Opening the clinic] helped our productivity, and it lowered our costs.”

She added that all employees or dependents covered by the company’s health insurance only need to pay a $15 flat fee for anything done in the clinic, including lab work. RoyOMartin currently employs about 1,300 employees, Ulrich said.

In addition, Ulrich said RoyOMartin retirees maintain the exact same medical benefits at the same cost as active employees. At age 65, the company automatically enrolls retirees into a Medicare Advantage plan for which the company pays 100% of the premiums for both retirees and their spouse or dependents.

As the company is based in the South, Ulrich said diabetes is one the firm’s biggest medical expenses. Now, when an employee goes to see the medical director, they work together to map out a “life plan” and schedule times to fill their prescription and get their insulin.

“That’s another way we cut down on costs,” Ulrich said. “We actually have a person that’s certified in diabetes care and management, because we saw that need for our company.”

How Many Benefits are Too Much?

As there are a wide variety of benefits an employer can offer, there comes a point where too many benefits will result in a heavy administrative burden for the plan sponsor.

“There’s a sweet spot in terms of how many benefits you offer,” Haflett said. “Somewhere around 25 benefits is where you start to see the law of diminishing returns. Anything more than that, [and] you’re not really getting bang for your buck.”

Haflett said there has been an “explosion” in plan sponsors offering specific health benefits to help people with diabetes, cancer, oncology appointments, mental health and more. She said many employers are also investing more in employee assistance programs.

However, she said monitoring all these benefits is a huge administrative burden on many plan sponsors and can be extremely time-consuming,

Plan sponsors “don’t know if they’re getting a return, [and] they don’t know if health outcomes are improving significantly, but they feel like they have to keep offering because they want to remain competitive,” Haflett said.

According to another Fidelity survey, Haflett said some 50% of employers have started to look at the concept of packaging benefits in a way that is relevant to people’s lives. For example, an employer may offer a benefits package catered toward someone who is starting a family or caring for a sick loved one. She said packaging benefits in a relatable way could help drive engagement.

Employees Mitigating Costs

Haflett said the Fidelity survey found that about half of employees with employer-sponsored insurance are taking some sort of action to reduce their health care costs

About 22% of employees said they had delayed getting medical care to mitigate costs, and 12% said they completely avoided seeing a doctor or did not fill prescriptions. Other employees said they took out loans to pay for medical care.

Brea Dantin, the chief operating officer of ProCourse Fiduciary Advisors, moderated the panel and said delaying care can actually have a negative impact on an employee’s cost mitigation because waiting may result in the need for more expensive treatment later down the road.

“Not everyone is financially educated enough to strategize their [cost mitigation],” Dantin said. “They may just not [seek medical care] at all.”

Haflett added that Fidelity research revealed that one in three employees conducted a hardship withdrawal from a 401(k) account to pay for health care expenses.

Dantin pointed out that health savings accounts can help branch the gap between health and wealth, as it allows employees to set aside money, which will grow tax-free, for qualified health care expenses, deductibles, copayments and more. Access to an HSA is a tool that could potentially prevent people from taking out a hardship withdrawal to pay for medical expenses, she said.

You Might Also Like:

Benefits | January 9th, 2025