Can 403(b) Sponsors Offer Money-Purchase Plans?

Experts from Groom Law Group and CAPTRUST answer questions concerning retirement plan administration and regulations.

Q: In a recent Ask the Experts column, you mentioned that it was possible for a 403(b) plan to be a money-purchase plan. I thought only 401(a) plans were money-purchase plans; am I missing something?

Kimberly Boberg, Kelly Geloneck, Emily Gerard and David Levine, with Groom Law Group, and Michael A. Webb, senior financial adviser at CAPTRUST, answer:

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

A: Though 401(a) money-purchase plans are far more common than 403(b) money-purchase plans, there is nothing in the Internal Revenue Code or other regulations that prohibits a 403(b) plan from utilizing a money-purchase formula. The primary reason that you rarely see a 403(b) money-purchase plan is that the type of entities that sponsor 403(b) plans (e.g., tax-exempt organizations) do not often have the type of consistent cash flow to commit to the minimum funding requirements (i.e., required employer contribution) of a money-purchase plan. On the rare occasions where a money-purchase formula exists in a 403(b) plan, it’s commonly for collectively bargained employees in a situation in which the plan sponsor agreed to minimum funding as a result of union contract negotiations.

NOTE: This feature is to provide general information only, does not constitute legal advice and cannot be used or substituted for legal or tax advice.

Do YOU have a question for the Experts? If so, we would love to hear from you! Simply forward your question to Amy.Resnick@issmarketintelligence.com with Subject: Ask the Experts, and the Experts will do their best to answer your question in a future column.

What Is a Proper Cybersecurity Policy for a Retirement Plan?

Plan fiduciaries should consider third-party audits, multi-factor authentication, cyber insurance and more when developing a written cybersecurity policy.

As participant data and plan assets increasingly are the target of cybersecurity and ransomware attacks, it is important that plan fiduciaries have pre-established procedures in place to protect themselves in the instance that a breach occurs.

Developing a written cybersecurity policy with specific required procedures is necessary for plan sponsors to uphold their fiduciary duty and comply with Department of Labor standards, according to an insight brief published by law firm Cohen & Buckmann P.C.

Get more!  Sign up for PLANSPONSOR newsletters.

“Although it isn’t specifically required by law, a written cybersecurity policy should be given the same importance as the plan’s investment policy statement, missing participant procedures … and loan procedures,” attorney Carol Buckmann wrote. “And given the frequency with which new kinds of threats and attacks occur, the cybersecurity policy will need to be reviewed and updated on a regular basis.”

The DOL updated its cybersecurity guidance last September for retirement plans and health and welfare plans covered by the Employee Retirement Income Security Act. The DOL also offers guidance for hiring service providers with strong cybersecurity practices.

While ERISA does not specifically mention cybersecurity, the fiduciary duties of prudence and to act in the best interest of participants include safeguarding sensitive personal and account information.

Cohen & Buckmann recommends considering several factors when developing a cyber policy.

For plan fiduciaries with access to personal data or participants’ investment accounts, Buckmann wrote that training is needed to make sure that the individuals with access to the information do not respond to phishing attempts or inadvertently install malware on their computers.

Training about cybersecurity is also important for employees at recordkeeping firms, as several recent lawsuits by participants whose accounts were accessed by hackers resulted from attacks made possible by human error.

Fidelity Investments was sued in October 2024, for example, after the personal information of 77,000 customers was exposed. The plaintiffs alleged that the recordkeeper failed to implement “adequate and reasonable measures” to ensure their computer systems were protected.

The case, Gluck et al v. Fidelity Investments, is currently pending in U.S. District Court for the District of Massachusetts.

Plan fiduciaries should also insist recordkeepers and other providers offer multi-factor authentication for accounts in their plans, according to Cohen & Buckmann, as it significantly lowers the risk of hacking by requiring users to utilize multiple channels of authentication. Cybercriminals may be able to guess passwords and user names, but it is more difficult for them to provide further substantiation, such as a one-time code sent to a participant’s cell phone.

In addition, it is important that any service providers with access to data or that have authority to direct investments should have regular third-party audits of their systems and perform regular penetration tests—as authorized simulated cyberattacks are known. When conducting requests for proposals for service providers, fiduciaries could ask whether providers are frequently receiving third-party audits of their systems.

Because many providers use subcontractors to perform certain services for the plan, it is also essential that subcontractors are subject to the same scrutiny. If a subcontractor experiences a breach, it can have a ripple effect and expose plan participants’ data to hackers.

Plan sponsors should also seek to understand what happens to plan data when a service contract is terminated. According to Cohen & Buckmann, service providers should not retain data longer than required by law. Data should either be destroyed or returned to the plan after a contract ends.

Another important aspect of a cyber policy is ensuring that the plan has adequate cybersecurity insurance coverage. Because claims can be raised under state law, standard ERISA fiduciary liability insurance may not fully cover fiduciaries and their service providers. ERISA bonding coverage also does not cover thefts of assets by criminal hackers. As a result, the law firm recommends that an expert review a plan’s current coverage to see whether additional insurance is needed as part of the plan sponsor’s cyber policy.

Overall, Cohen & Buckmann stated that fiduciaries do not need to be creating these policies alone, as few plan sponsors are able to so do without assistance. Corporate security personnel should also be involved in this process, regardless of whether they are involved in running the retirement plan or not.

“The bottom line is that fiduciaries may be personally liable for losses caused by their breaches of their fiduciary responsibility to mitigate cybersecurity risks,” Buckmann stated in the insight brief.

«