Opinions August 26, 2021

Developing a Prudent Process for Cybersecurity

Principals with Groom Law Group discuss steps retirement plan sponsors can take to avoid or be prepared for a DOL cybersecurity audit.

Reported by

As the Department of Labor (DOL) expands the Swiss Army knife of skills it expects a retirement plan fiduciary to have, it becomes more important than ever for fiduciaries to focus on having verifiable processes in place. 

We’ve previously said that having a verifiable administrative process can be helpful when the DOL investigates. In recent years, we have been helping plan fiduciaries who have been focused on developing bounty-hunter-like policies in response to the agency’s aggressive enforcement position on missing participants. As the DOL pivots to new areas of enforcement—such as cybersecurity—it will be important for plan fiduciaries to consider taking similar steps to help protect participant account balances, plan information technology systems and related information. While nobody could have anticipated in 1974 (when the Employee Retirement Income Security Act [ERISA] was enacted) that plan fiduciaries would be responsible for cybersecurity, here we are in 2021 with a department that seems to expect human resources (HR) professionals to moonlight as expert hackers.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Cybersecurity is the DOL’s latest plan sponsor investigation priority. This initiative appears to be the outgrowth of a series of cases that participants have brought against plan fiduciaries and plan service providers alleging that the fiduciaries should have done more to prevent the theft of their account balances by cybercriminals. This first wave of litigation is ongoing and has called into question what exactly a plan fiduciary should know about plan service providers’ abilities to prevent account takeovers.

As a result of this new spotlight, last year, the DOL began opening investigations of plans to determine whether they had implemented prudent cybersecurity policies. Similar to its missing participant initiative, only after starting to investigate did the department identify its expectations for plan fiduciaries. 

So what are plan fiduciaries to do? First, they might want to review the sub-regulatory guidance the DOL issued on April 14. Specifically, the agency issued “Tips for Hiring a Service Provider,” Cybersecurity Program Best Practices” and “Online Security Tips.”

In recent investigations, we have already seen investigators from multiple regions ask questions based on these “Tips” and ask plan fiduciaries to document how they and their service providers are complying. The DOL is making fairly standardized requests where plans are asked to request certain policies and procedures from service providers.

As a second step, plan fiduciaries might want to incorporate some or all of the items the DOL has identified in its “Cybersecurity Program Best Practices” into future service provider requests for proposals (RFPs).

A starting point for implementing these steps can be to inventory what cybersecurity practices are currently in place. To do this, we have seen and helped plan fiduciaries identify the information technology (IT) systems a plan relies on (from internal systems to identifying service providers that have their own systems—such as recordkeepers). This allows plan fiduciaries to document, or request help documenting, cybersecurity practices that are already in place. Doing that can put them in a better position to determine if current systems are adequate or if more should be done.

The DOL’s initiative into cybersecurity is in its infancy, and we expect many new investigations to be opened over the next few years. The best time to prepare is before you are investigated.

Beyond the investigation risk, the new sub-regulatory guidance provides a framework to use 2021 as the time to develop a process for documenting what service providers are doing to protect participant balances and other data cybercriminals are targeting. As this new initiative ramps up, plans that take steps to shore up cybersecurity practices now are likely to have better outcomes both in terms of avoiding participant losses and in terms of resource expenditure in investigations.

Allison Itami and Kevin Walsh are both principals at Groom Law Group, Chartered. Their practices encompass assisting plan fiduciaries with understanding their responsibilities and helping them develop processes and systems for meeting and documenting compliance. In addition to this prophylactic assistance, they and their colleagues at Groom Law Group defend plan fiduciaries and plan sponsors in Department of Labor investigations and fiduciary litigation. For more information visit www.groom.com.

This feature is to provide general information only, does not constitute legal or tax advice and cannot be used or substituted for legal or tax advice. Any opinions of the author do not necessarily reflect the stance of Institutional Shareholder Services Inc. (ISS) or its affiliates.
Compliance August 25, 2021

A Reminder of What IRS Examiners Will Look for Regarding NQDC Plans

An updated audit technique guide discusses the doctrines of constructive receipt and economic benefit, as well as IRC Section 409A, to explain when NQDC deferrals are included in employees’ income.

Reported by

The IRS has issued an updated nonqualified deferred compensation (NQDC) audit technique guide for its agents that discusses the issue of when amounts deferred into NQDC plans are includable in employees’ gross income and deductible by plan sponsors.

The guide discusses the constructive receipt doctrine for unfunded plans, which states that income, although not actually reduced to a taxpayer’s possession, is constructively received in the taxable year in which it is credited to the taxpayer’s account, set apart for the taxpayer or otherwise made available to the taxpayer. Income is not constructively received if the taxpayer’s control of its receipt is subject to substantial limitations or restrictions.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

The IRS notes that whether an employee has constructively received an amount does not depend on whether he withdrew funds, but whether he could have withdrawn funds without substantial limitations or restrictions.

For funded plans, under the economic benefit doctrine, if an individual receives any economic or financial benefit or property as compensation for services, he will be taxed at the time of receipt of the property when it is either transferable or not subject to a substantial risk of forfeiture. The taxpayer does not include the value of the property in income until the property is no longer subject to a substantial risk of forfeiture or the property becomes transferable.

The IRS notes that under Treasury regulations, a substantial risk of forfeiture generally exists when the transfer of rights in property is conditioned, directly or indirectly, upon the future performance of substantial services.

According to the guide, Internal Revenue Code (IRC) Section 409A provides comprehensive rules governing NQDC arrangements that apply in addition to the doctrines of constructive receipt and economic benefit. Section 409A provides that all amounts deferred under a NQDC plan for all taxable years are currently includible in gross income (to the extent that they’re not subject to a substantial risk of forfeiture and not previously included in gross income), unless certain requirements are met.

The IRS notes that if Section 409A requires an amount to be included in gross income, the statute imposes substantial additional taxes, which are assessed against the employee/service provider (including an independent contractor) and not the employer/service recipient.

Employers must withhold income tax on any amount includible in the employee’s gross income under Section 409A. However, the employer is not required to withhold the additional taxes. Generally, employers must withhold income taxes from NQDC amounts at the time the amounts are actually or constructively received by the employee.

In addition, NQDC deferral amounts are taken into account for Federal Insurance Contributions Act (FICA) tax purposes at the later of when the services are performed or when there is no substantial risk of forfeiture with respect to the employee’s right to receive the deferred amounts in a later calendar year. In other words, amounts are subject to FICA taxes at the time of deferral, unless the employee is required to perform substantial future services to have a legal right to the future payment.

Regarding employer tax deductions for amounts deferred into NQDC plans, the guide says they are deductible by the employer when the amount is includible in the employee’s income.

The guide tells IRS agents that a NQDC plan examination should focus on when the deferred amounts are includible in the employee’s gross income and when those amounts are deductible by the employer. The examiner should also address if deferred amounts were properly taken into account for employment tax purposes.

The agency notes that a NQDC plan that references the employer’s 401(k) plan may contain a provision that could cause disqualification of the 401(k) plan. Regulations provide that a 401(k) plan may not condition any other benefit (including participation in a NQDC) upon the employee’s participation or nonparticipation in the 401(k) plan. Examiners will look for any NQDC plan provisions that limit the total amount that can be deferred between the NQDC plan and the 401(k) plan, as well as any which state that participation is limited to employees who elect not to participate in the 401(k) plan.

«