Administration October 1, 2024

Plan Security Relies on Vetting 3rd-Party Providers

As 3rd-party subcontractors continue to experience data breaches, plan sponsors must ensure they are asking the right questions about their providers’ providers.
Reported by
Art by James Yang

This story has been updated for the magazine. That version can be found here: “Who Do You Trust?

Retirement plan recordkeepers’ increasing reliance on third-party vendors for various administrative services and tools poses a challenge for plan sponsors who need to vet these vendors, especially as many have been exposed to cybersecurity breaches in the past year.

Get more!  Sign up for PLANSPONSOR newsletters.

To protect participant data and personal information, plan sponsors should be aware of the subcontractors with which their recordkeepers work, of which have access to participant data, and of how to respond to a breach when one occurs.

When Infosys McCamish Systems LLC suffered an external system breach last year, major recordkeepers and insurance companies like T. Rowe Price, Vanguard and Principal Life Insurance Co. were impacted. More than 6 million people had their Social Security numbers, email address, usernames and passwords, drivers’ licenses and passport information exposed.

In a more recent incident, multiple clients of CBIZ Inc.’s benefits and insurance services were affected by a June breach that leaked the personal information retired employees at CBIZ clients.

The Department of Labor issued updated cybersecurity guidance last month for ERISA-covered employee retirement benefit plans and health and welfare plans. Lisa Gomez, assistant secretary of Labor in charge of the Employee Benefits Security Administration, said in a statement that all plans covered by the Employee Retirement Income Security Act need to implement “appropriate best practices” to help protect participants and their beneficiaries from cybercrime and emerging threats.

The updated guidance included tips for plan sponsors and fiduciaries when hiring a service provider. For example, the DOL recommended that plan sponsors compare their service provider’s information security standards, practices and policies, and audit results to industry standards adopted by other financial or health institutions.

Jon Meyer, the chief technology officer at CAPTRUST, says it is important for plan sponsors to fully implement the DOL guidance.

“Ideally, if you’re vetting your recordkeeper, which is probably a large company, they are going to be able to tell you how they are vetting all of their suppliers,” Meyer says. “In turn, you’re going to be able to get a little more confident that they have made efforts to make sure that they are not entrusting key data to suppliers who are not worthy of dealing with that data.”

Asking the Right Questions

Kristine Sciangula, a retirement plan administrator for the 457(b) deferred compensation plan run by Suffolk County, New York, says her plan’s contract with its recordkeeper, T. Rowe Price, explicitly states that T. Rowe Price cannot delegate the “material duties” under the agreement to any other entity without the plan’s consent.

The Suffolk County plan also includes certain requirements for approved subcontractors, such as providing insurance certificates, SOC audit reports and information security policies.

Sciangula says three of the third-party vendors used by the plan’s recordkeeper have experienced breaches—including check mailing company R.R. Donnelley; PBI Research Services, which searches for missing participants; and Infosys McCamish. According to Sciangula, T. Rowe Price made it clear that the Suffolk County plan was not specifically impacted by these breaches, as there is no proof of participant information being obtained.

Sciangula says one issue she has come across is that some recordkeepers do not consider all providers to be “third-party subcontractors.”

“Because of the fact that [recordkeepers] don’t call all these [providers] ‘subcontractors,’ this year when we did our RFP, we changed our questions to specifically ask about vendors and other companies being used,” Sciangula says.

Instead of using the term “subcontractors,” Sciangula says the request for proposal asked broader questions, such as the names of the companies being used, the locations where services would be performed and the qualifications of each company the recordkeeper intended to involve in any way.

Some recordkeepers did not answer those questions, Sciangula found. Many responded that they used third-party providers but did not name the company or detail the services they provide.

Meyer says if a provider cannot answer certain questions or is unable to complete an assessment, it should raise a red flag.

“If I went to a supplier, say a high-volume printing supplier, and they don’t have an information security team, or they really don’t know how to answer the questions on a shared assessment, I would be a little suspect,” Meyer says. “I would be concerned that they don’t have professionals engaged, in the same way that [you would] if you brought your car to the mechanic and he didn’t have any wrenches.”

Sciangula says her plan’s RFP also asked recordkeepers if they agreed not to sell or make available any participant information without the plan’s consent, as well as if any of the recordkeepers’ subcontractors or vendors had experienced a data breach in the last five years. If they had experienced a breach, the RFP asked for an explanation and detailed outcome. Again, she says some recordkeepers did not answer the last question.

Contract Terms

Sciangula says her plan’s contract with its recordkeeper details which companies would have access to participant information, and the recordkeeper should agree it is responsible for the security of information in its systems, as well as of any information provided or managed by a contractor. She says the plan creates a new contract every five years, but sometimes during that contract period, a recordkeeper may get a new vendor.

“We’ve requested meetings before to discuss what information would be given to the [vendor] and how would that information be transmitted and secured,” Sciangula says. “We’ve brought in our IT people and their IT people to explain how the data is transmitted and how often it is purged or deleted.”

Once, Sciangula says, the plan was able to opt out of using a particular vendor because it allowed a third party to unnecessarily have access to participant data.

“Having another company to worry about having our information just wasn’t worth it,” she says.

The ability to opt out of using a service provider is unusual, but Sciangula says her plan is extremely focused on knowing which companies are involved and understanding the information to which those companies have access.

Red Flags

Meyer adds that it is imperative for plan sponsors to understand who is liable if a data breach occurs, as well as who will notify participants and deal with calls from those impacted.

Prior to contracting with a supplier, Meyer says a plan sponsor should understand the process for managing communications if a breach occurs and who is contractually responsible for costs associated with it.

Veronica Bray, a 401(k) and 403(b) service provider search consultant who owns Retirement Plan Advisor Search in High Point, North Carolina, says she has found that some advisers are not forthcoming about their cybersecurity practices.

“Sometimes [advisers] will say that they don’t have any participant data or plan data, or they don’t receive any personally identifiable information, and they’ll just kind of paint over it,” Bray says. “That’s something that would be a red flag to me—if they’re not willing to go into detail about what their cybersecurity policies and protocols are.”

She says she likes to see that advisers and recordkeepers are testing their controls to make sure employees are not clicking on suspicious emails, as well as training their employees about safe cybersecurity practices.

In addition, Bray specifically asks in an RFP if a recordkeeper works with third-party service providers for rollover services, student loan repayment services, financial wellness services or any other types of services outside the plan. She then requires the recordkeeper to provide the names of these organizations, along with their digital policies and procedures.

Meyer says that in many recent breaches, criminals have attacked a piece of software “hidden in the bowels” of IT organizations that may be unknown to most , yet transports significant critical data.

“I think [when] the software itself has some kind of hidden vulnerability that nobody knows about until after a lot of data has been stolen … it’s super hard to guard against,” Meyer says. Breaches are “inevitable, because everybody’s running some piece of software that they didn’t write, that they’re relying on somebody else to have fully vetted and tested. At the end of the day, it’s really hard to do that with perfection constantly.”

Nevertheless, fiduciaries need to do their due diligence when vetting providers. Meyer recommends two different approaches when vetting providers. One is requesting a SOC 2 Type II report: a third-party audit that assesses a company’s internal controls and systems related to security, processing integrity, confidentiality and privacy of customer data over a period of time. The reports are based on the American Institute of Certified Public Accountants’ trust service criteria and apply to any business handling sensitive customer information.

An alternative to the SOC 2 Type II report is to conduct a shares assessment, which uses a 1,000-item questionnaire about the supplier’s processes. Meyer says working with a specialist or an ERISA attorney is helpful when conducting vendor reviews.

Administration September 3, 2024

No Matter How Small, Businesses Have Retirement Plan Options

If small employers want to offer a retirement plan, they can start small and ‘graduate’ to more custom, tailored plans when the company grows.
Reported by
Art by Pete Ryan

Michael Kreps recently tested the definition of how small a defined contribution plan can be when he helped a trade association client with just two employees establish a retirement plan.

“A lot of times employers will be shy about starting a 401(k) because they think it’s a lot of cost or expense and time and energy,” says Kreps, chair of the retirement services group at the Groom Law Group, based in Washington, D.C. “It can be for big Fortune 500 companies that run 401(k) plans that put a lot of money into those plans and design and consultants, but for small employers, there are plenty of off-the-shelf products.”

Get more!  Sign up for PLANSPONSOR newsletters.

For many, the main subject employers should consider does not concern cost or administrative ease, but the overarching purpose of the plan, Kreps advises. Those key, first-principal questions to ask may include: Is the intent of the 401(k) to attract and retain talent? What does your workforce need?

‘A Lot of Excitement and Zero Pushback’

Andy Nelson, the human resources manager at Bonfe’s Plumbing, Heating & Air Service Inc. in St. Paul, Minnesota, has seen first-hand how interest has built in the company’s 401(k) plan. Currently, the 185 Bonfe’s employees, based in the Minneapolis-St. Paul area, are automatically enrolled into the retirement plan at a 10% contribution rate. While Bonfe’s provides a 5% match. The plan’s participation ranges between 96% and 98% of the workforce.

Nelson sees the retirement benefits as a key piece of the company’s appeal to employees and as a contributing factor to its relatively low staff turnover, which is about 15% among trade employees, well below the industry’s 50% to 60% norm, he says. Call center employees’ turnover is a bit higher at 25%. More recently, he has been tasked with creating a defined contribution plan for another, 25-employee plumbing and HVAC company. Based on his experience with Bonfe’s employees, he is unconcerned about starting it for a smaller group of employees.

“It works for the company,” he says. “There’s not a lot of those kinds of benefits for this type of business, so there’s a lot of excitement and zero pushback.”

When he started eight years ago, he learned on the job, helped by the company’s fiduciary consultant, Matt Voecks, a retirement plan adviser with World Investment Advisors (formerly Pensionmark) in Bloomington, Minnesota, who walked him through all the steps in overseeing the 401(k) plan.

As for administration, Nelson says he has not found overseeing the retirement plan overly difficult. He credits Voecks for getting him up to speed and for being on call for the employees.

“He comes to our company and speaks, and we set up days where employees can come and just visit with him,” Nelson says. “He really holds their hands through something that most people don’t really know about, especially in our industry.”

Voecks sees companies like Bonfe’s benefitting from partnering with an administrator to handle the fiduciary duties. Voecks, together with his colleagues overseeing 401(k) offerings from The Standard, manage most day-to-day operations. “For a lot of organizations, it’s finding a partner that handles a lot of the administrative tasks,” Voecks says.

He notes that small employers starting a plan today can take advantage of pooled employer plans, which handle almost all the fiduciary duties, including delivering plan notices, signing and filing their annual Form 5500 with the Department of Labor, and outsourcing hardship assessments and loan administration. If the plan is large enough for an audit, , he adds.

“Whenever possible, you want to find a partner that picks up the phone and answers it, so you can get on with your day,” Voecks says. He also advises employers to go through the list of fiduciary obligations and ability to outsource. “There is kind of a sweet spot on the PEP route that fills the need for those organizations that want to offer the benefit but also don’t want the more onerous responsibilities.”

‘Not That Hard to Put a Plan in Place and to Operate It’

Kreps sees employers considering a range of choices from extremely customized options that are specifically tailored to their workforce with a full-fledged defined benefit plan to the extremely simplified and most affordable approach of a payroll deduction individual retirement account. In that instance, employers have been able to work with a financial service provider to make IRAs available to everyone on a payroll deduction basis; beyond that, the employer has no involvement.

“There’s zero cost for the employer,” Kreps says. “They do literally nothing except open the door.”

For employers interested in a simple 401(k) plan, most financial institutions provide an off-the-shelf product that is typically simple, pre-designed and a more affordable choice than a custom plan, according to Kreps, who sees many small companies start there, then “graduate” to something more tailored when the company grows.

“We have government subsidies and incentives that make the options cheaper, and we have a very mature system with very mature service providers that do this very efficiently so it’s really just a capacity and focus issue for a lot of employers,” Kreps says. “I fully recognize that if you’re running a construction company, building houses every day, that you’re really focused on making that work and that the 401(k) … probably isn’t even crossing your mind. But there are a lot of options for them, and there’s a lot of help they can get, and it’s not that hard to put a plan in place and to operate it.”

 

«