Opinions December 27, 2022

Cybersecurity: Key Considerations and Resources for Plan Sponsors

There is no hiding from attacks on your plan’s technology and data. What are the most important steps you can take to stay prepared?

Reported by

The COVID-19 pandemic’s acceleration of remote working brought with it a renewed awareness of cybersecurity-related issues, as people established offices and networks outside the “protection” of an in-office environment. Scammers and cybercriminals also used fears of the coronavirus to their advantage. The Financial Industry Regulatory Authority noted the increased risks in an information notice from March 2020, “Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19).”

In addition, the U.S. Department of Labor’s 2021 guidance on cybersecurity put a spotlight on the topic and prompted renewed industry discourse about its importance. At the heart of the matter for plan sponsors is: Who has access to your participant data, and how are you protecting that data?

When it comes to a data breach, it’s not a matter of if, but when. As one example, the Defined Contribution Institutional Investment Association’s Retirement Research Center did a short survey in October of 69 employers and found that 13% said, “Yes,” they had experienced a data breach with their service provider/employee data. The topic will be one of ongoing importance in today’s rapidly evolving tech and litigation environment.

DOL Cybersecurity Guidance

The DOL’s 2021 guidance on cybersecurity is not binding, but it is likely to come up in any cybersecurity discussion. As described by the DOL, the guidance comes in three forms:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as the Employee Retirement Income Security Act requires;
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks; and
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Plan fiduciaries should document their process in considering the guidance and why the guidance was or was not followed. They should discuss who is responsible if there is a “blameless breach” and ensure all parties are aware. They should clarify the roles of the service provider, the participant, the consultant/adviser, law firm and other stakeholders and document those roles.

‘During vendor negotiations, it is useful to fully understand the vendor’s history and protocols. Ask if (or when) the vendor has paid out cybersecurity claims. Clearly define “data breach” and notification standards on your plan’s behalf. What are the remediation steps? What remedies are provided to participants? Also, ask about the role and oversight of subcontractors. Finally, it may be worth exploring specialized insurance coverage for cybersecurity liability. Applicants for this coverage will need to demonstrate awareness and implementation of cybersecurity best practices. Unfortunately, coverage may be difficult to obtain and/or expensive, given increasing volumes of cyber-attacks.

The DOL notes that the department’s guidance “complements [the Employee Benefits Security Administration]’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”

Additional Plan Sponsor and Service Provider Resources

In an article on retirement plan cybersecurity, insurance brokerage and consulting firm Arthur J. Gallagher & Co. notes, “For HR leaders, making prevention the first imperative requires working with corporate IT to put safeguards in place. They should have clear sight into how data is collected, held and classified, who has access, and which laws apply. Investing in enterprise-wide technology is critical to recognizing cyberattacks and stopping them when they occur. … Phishing and other social engineering techniques have become very sophisticated and can easily fool unwary team members into divulging information that give thieves access to sensitive data. One of the best protections is thorough training for both HR staff and employees.”

The article also provides a detailed list of important cybersecurity-related best practices for plan sponsors to consider.

An article by the Groom Law Group notes the importance of informing plan participants about their role in protecting their own data, stating that “One great way for an ERISA fiduciary to educate participants about online security is to distribute the DOL’s Online Security Tips directly to participants. These tips teach participants how to reduce the risk of fraud and loss to retirement accounts. Some plan sponsors have already put these tips on their websites and have sent them to participants by mail. Others are even including them in summary plan descriptions (SPDs).”

The industry is already keenly aware of and responding to cybersecurity challenges. Research from Cerulli Associates revealed that recordkeepers are increasing their cybersecurity staff as it becomes a growing area of general interest, as well as plan sponsor scrutiny. The nonprofit Society of Professional Asset Managers and Recordkeepers has a robust array of cybersecurity and fraud resources on its website; in particular, plan sponsors may want to consult the Plan Sponsor and Advisor Guide to Cybersecurity.

The guide cites security breaches typically being some form of attack on or intrusion into a network, a lost unsecured laptop and/or data file loss (recordkeeper to third party). It also describes forms of cyber fraud like phishing; malware and account takeover; theft; or impersonation. SPARK recommends that service providers utilize 17 “control objectives” that are listed and described in the guide when reporting on their overall data security capabilities.

At a broader level, the Cybersecurity and Infrastructure Security Agency leads the U.S. effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure. Of particular note, it offers resources for small and midsized businessesthese organizations may have special considerations, given potentially more limited resources to manage cyber risks than larger companies.

There are many resources available to plan sponsors to facilitate discussions about cybersecurity and awareness of best practices, as well as helping to inform and educate plan participants about the key role they play in protecting their information and retirement savings. Plan sponsors may want to consider creating a rolling calendar via which important topics like cybersecurity and participant data are regularly brought up for internal discussion among key stakeholders including HR, finance, legal, IT and communications.

Pam Hess is the vice president of research at the DCIIA Retirement Research Center.

Deals and People December 23, 2022

Retirement Industry People Moves

CBCF Names Verity’s Otto Vice Chairman; Spinelli promoted to co-CIO at Halbert Hargrove; Gallagher acquires Retirement, HR Advisory Buck; and more.

Reported by

Verity’s Al Otto Named Vice Chairman for the Center for Board Certified Fiduciaries

Verity Asset Management announced that the Center for Board Certified Fiduciaries appointed Al Otto Verity’s national director of plan governance solutions, as Vice Chairman of the CBCF.

Otto leads Vynntana, Verity’s plan governance platform that provides guidance and a suite of tools supporting 403(b) and 457(b) employer sponsors and the non-ERISA retirement plans they provide for their eligible K-14 public school, college, church, governmental agency and nonprofit employees, the Durham, North Carolina-based Verity said in a press release.

Otto joined Verity in 2018 and is a 20-year veteran of the retirement advisory and employer-sponsored plans industry, which includes experience founding several successful advisory and fiduciary-related businesses, the release said. He is also a published author and speaker on issues pertaining to tax-exempt retirement plan management, fiduciary governance and other related areas.

Halbert Hargrove Names Brian Spinelli Co-CIO

Halbert Hargrove, a fiduciary investment management and wealth advisory firm, promoted a senior wealth advisor and the chair of its investment committee, Brian Spinelli, to co-CIO.

Get more!  Sign up for PLANSPONSOR newsletters.

Spinelli joined Halbert Hargrove in 2006 and became part of the management team in 2012, the Long Beach, California-based advisory said in a press release. Spinelli’s role involved overseeing a range of investment responsibilities and wealth advisory services, the firm said.

As co-CIO, Spinelli will be responsible for the oversight and management of Halbert Hargrove’s investments and investment committee, as well as providing the general parameters for investment advice provided to the firm’s clients.

Halbert Hargrove’s announcement noted that it also promoted Tim Kohler to director of research and trading operations, David Koch to director of portfolio management and Taylor Sutherland to director of portfolio strategy.

Secure Choice Savings Board Appoints Todd Hassler as Executive Director

New Jersey’s Secure Choice Savings Board appointed Todd Hassler as the first executive director of its Secure Choice Savings Program.

The appointment concludes a nationwide search for a leader tasked with implementing a state-sponsored retirement plan designed to help private-sector employees save for the future, according to a press release from the Trenton, New Jersey-based Savings Board.

As executive director, Hassler will oversee the creation and operation of the New Jersey Secure Choice Savings Program, an initiative created by a law signed by Governor Phil Murphy which will provide a low-cost retirement plan for private-sector employees across New Jersey, according to the Savings Board. Once fully operational, the program could be responsible for receiving and investing more than $10 billion for the benefit of approximately 1.7 million workers. 

Most recently, Hassler served as senior investigator for the U.S. Department of Labor’s Employee Benefit Security Administration, a role in which he analyzed benefit plan designs and investigated operational failures. Prior to his role with the DOL, Hassler spent 15 years in the private sector in various roles overseeing retirement plans and human resources.


DEALS

Gallagher Acquires Retirement, HR Advisory Buck, NEK Insurance

Arthur J. Gallagher & Co. has agreed to acquire the partnership interests of Buck, a New York-based retirement, HR and employee benefits consulting and administration services firm with more than 2,300 employees and 220 credentialed actuaries. The transaction is expected to close during the first half of 2023, subject to customary regulatory approvals, Gallagher said in a press release.

Gallagher, a global insurance brokerage, risk management and consultancy firm, plans to acquire the interests of BCHR Holdings, L.P., Buck’s official name, and its subsidiaries for a gross consideration of $660 million (approximately $585 million net of agreed seller-funded expenses and net working capital), according to the release. The Rolling Meadows, Illinois-based firm made the purchase for benefits including expanding its work within retirement, benefits & HR consulting, administration and technology. The deal will also deepen Gallagher’s abilities in defined benefits consulting, plan administration, defined contribution and executive benefit consulting, among other areas.

Separately, Arthur J. Gallagher & Co. said it purchased El Cerrito, California-based NEK Insurance, Inc. Terms of the transaction were not disclosed.

NEK is a retail insurance agency specializing in property and casualty coverages for daycare centers and K-8 schools, residential care facilities and small remodeling contractors, with underwriting authority in these three segments, according to a press release

Kevin BrunsJennifer SylvestriKyle Peterson and their associates will be part of Gallagher’s San Francisco branch under the direction of Jim Buckley, head of Gallagher’s Northwest region retail property and casualty brokerage operations, according to the Gallagher release.

Heffernan Buys SGB Insurance Services

Heffernan Network Insurance Brokers, a subsidiary of Heffernan Insurance Brokers providing market access and support services to insurance agencies, has acquired SGB Insurance Services, located in Wildomar, CA.

Scott Becker, the founder and president of SGB, joined Heffernan Network, along with five of his team members, effective November 1, the Walnut Creek, California-based Heffernan Network said in a release.

SGB specializes in providing personal lines and commercial lines of coverage. The company will operate autonomously as a subsidiary agency of Heffernan Network, leveraging its market access, resources and support to grow, according to the release.

As part of Heffernan’s growth strategy, the company is seeking to collaborate with privately held independent brokers across the United States, the firm noted in the release.

M&T Bank’s Wilmington Trust to Sell CIT Business to PE Firm

Wilmington Trust, a wealth management subsidiary of M&T Bank, has agreed to sell its collective investment trust business to private equity firm Madison Dearborn Partners.

Upon completion of the transaction, the CIT business will become an independent company with a new brand name owned by funds affiliated with MDP, according to a press release.

The CIT business, part of Wilmington Trust’s institutional client services division, provides third-party trustee and administrative services to asset managers and the employer-sponsored retirement market. The business has delivered consistent year-over-year revenue growth and currently manages about $115 billion in CIT assets for more than 550 funds across a family of about 45 subadvisors, according to Chicago-based MDP.

“This transaction will enable our remaining ICS businesses to deepen their focus on clients and further optimize their products and services as ICS continues to execute its vision to become the global leader in institutional trust services,” Jennifer Warren, senior executive vice president and head of Wilmington, Delaware-based ICS, said in the release.

MDP’s experience with scaling and growing businesses in the financial services industry will enable Wilmington Trust’s CIT business to deepen and expand its trustee and administrative services customer relationships through increased investment in product capabilities, technology solutions (including the recently launched BoardingPass platform) and strategic acquisition opportunities, according to the companies.

The transaction is expected to close no later than mid-2023 and is subject to customary closing conditions and regulatory approvals. 

Bass Pro Groups Re-Ups with Voya for Retirement Benefits

Voya Financial announced it has been retained as the recordkeeper and service provider for the Bass Pro Group 401(k) Retirement Savings Plan.

The Windsor, Connecticut-based Voya extended its four-year relationship with Bass Pro in October, according to a press release. The Bass Pro Group 401(k) Retirement Savings Plan is a defined contribution plan that allows plan participants to direct the investment of their retirement accounts. This is a large market client for Voya, and the workplace retirement plan supports more than 10,000 individuals, the release stated.

Headquartered in Springfield, Missouri, Bass Pro Group is a privately held American retailer that that runs Bass Pro Shops, which specialize in hunting, fishing, camping and other related outdoor recreation merchandise.

Voya will provide plan members with access to myOrangeMoney, an interactive and educational participant website experience, as well as access to the company’s financial wellness experience that seek to help inform, engage and encourage positive financial actions.

Voya serves 14.3 million individual, workplace and institutional clients with about $711 billion in total assets under management and administration as of Sept. 30, 2022.

«