Administration October 2, 2023

Be Prepared: When a Cybersecurity Issue Occurs, Plan Sponsors Can Spring Into Action

Those with experience say ‘clear, concise communications’ and coordination with partners are vital in crafting an effective response.
Reported by
Art by Anja Susanj

When Michael P. Kreps, a principal with Groom Law Group, helped draft a letter informing participants at two plan sponsors of a subcontractor’s data breach, he did not expect completely different reactions from each group. In the first instance, there was zero participant response after learning that information had been hacked. In the second, more than 300 participants called a toll-free number with questions.

“I can’t find any reason why one would have such a massive response,” Kreps says about the challenges inherent in delivering bad news. “So, we’ve defaulted toward clear, concise communications to people to tell them what happened, how you’re addressing it and flagging risks for them.”

Get more!  Sign up for PLANSPONSOR newsletters.

The question of how plan sponsors can most effectively respond to and communicate news of a data leak to their participants has been a central topic for years. But a new Securities and Exchange Commission rule in effect this year outlining how quickly public companies must disclose material cybersecurity events is expanding ongoing discussions about best practices for disclosure and prevention. Plan sponsors, attorneys, consultants and cybersecurity experts are helping hone and assess new approaches and responses intended to inform—without alarming—participants of a potential breach.

Meticulous Planning

For Stacy Hughes, the Atlanta-based chief information security officer at Voya Financial, the time to craft a response to a potential cybersecurity threat is long before any incident occurs, which is crucial for cybersecurity preparedness. The main thrust of the new SEC rule requiring more rapid disclosure focuses plan sponsors on determining what is considered material for the organization, since the new rules stipulate disclosing such events with new Form 8-K within four business days. In addition, she emphasizes the importance of new disclosures in the company’s annual report that describe plan sponsors’ cybersecurity programs fully. Beyond the new specific requirements, Hughes see plan sponsors’ broader and ongoing responsibilities in preparing responses coalescing around three areas: people, process and technology.

“I would encourage everybody to look at making sure, in a couple of different areas, ‘Do we have staff committed to that function within a plan sponsor?’ and then also making sure you’ve got diverse security experience and background within your organization,” Hughes says. “Looking at it from a people perspective, really having a robust security awareness and employee training program year-round.”

Creating a detailed approach ahead of time and assigning people to monitor and respond to any potential threat is essential for cybersecurity preparedness, Hughes says. To encourage best practices, Hughes advises drafting a RACI, (Responsible, Accountable, Communicated, Informed) matrix that clearly outlines roles and responsibilities for everyone in an organization should its cybersecurity be compromised.

The next step involves testing that plan in a tabletop exercise on an ongoing, regular basis and including all stakeholders, she says. Hughes finds it useful for teams to role-play common risks, including a scenario in which a business email has been compromised or a ransomware attack happens, she says.

“It makes what I like to call ‘muscle memory:’ When you’re in the moment, you know what to do,” Hughes says.

Advanced preparation is also key for Kelly Lazzara, senior compliance counsel in Gallagher’s Financial and Retirement Services Practice, based in Pittsburgh.

“The best practice with respect to anticipating, preventing and then, of course, responding to a cybersecurity incident from a provider is already having a plan in place,” Lazzara says.

Even if a breach occurs externally, Lazzara recommends that plan sponsors create what she calls a SWAT team, or an incident response team, internally that would typically include the chief information security officer, legal counsel and the human resources and retirement teams.

“They can understand what the impact is and what the data is and be part of a response team and hopefully the ongoing monitoring team and compliance portion of this,” she says.

Developing a coordinated response, however, should also build in flexibility, Lazzara says.

“A formal, well-documented security program should be detailed enough to give you direction and allow you to annually review it, but give you flexibility to respond,” Lazzara says. “With cyber crime and cyber thieves getting smarter, the program should be agile.”

Prevention is not always possible, but if regular monitoring identifies a threat or weakness, closing that breach through regular reviews provides an opportunity to identify it in real time or prevent it from happening again, she says.

This kind of proactive approach has been in the works at many plan sponsors for years and provides protection from potential litigation should a breach occur, according to Lazzara. She views the SEC’s new rules as an expansion of the Department of Labor’s guidance.

“It is already happening,” Lazzara says. “People in this space are already two years into the DOL’s best practices, and a lot of people also look to know things as soon as possible … so you can close that breach.”

Partners Should Take Certain Duties on Board

One outcome already occurring at some plan sponsors is a greater focus on building rapid reporting requirements into contracts.

“Plan sponsor and plan fiduciary expectations are changing, and that’s just a natural progression,” Lazzara says. “We want everything as soon as possible, and, given the plan sponsor’s fiduciary obligation with respect to understanding the breach or the incident and responding to it, there’s a lot of pressure for those response and incident-reporting times to come down.”

Kreps, based in Washington, D.C., also sees the need for plan sponsors to consider both SEC rules and DOL guidance, along with requirements that can vary by state.

“It’s a bit of a thicket because, depending on the type of the breach and the type of the data involved and the location, you have to be cognizant of all the state privacy laws as well,” Kreps says.

Accordingly, Kreps sees best practices as a multi-step approach: detecting the breach; understanding what happened; notifying the insurance carrier; tapping expertise, in house or external, to quickly get a sense of who was impacted; and finally notifying participants as quickly as possible.

When a security issue is detected, Kreps encourages plan sponsors to be as clear as possible in disclosing a breach.

“Most normal humans expect this to happen to them: that their information may be stolen,” Kreps says. “We’ve all just kind of accepted it, but what they get really annoyed about, from a PR, client, customer participant relations standpoint, is not being told, not having an idea of what’s happening and not knowing how to get things done to fix it.”

Understanding the scope of a problem can be particularly challenging for plan sponsors when a breach involves a third-party and in instances when a plan sponsor may not find out that it happened until long after the breach occurred. Even in such cases, however, the advice for plan sponsors remains the same.

“When they know, move as quickly as possible,” Kreps says. “And when you are aware of the breach, then try and get those notices out.”

Kreps advises plan sponsors to write rapid notice requirements into their service agreements with a specific timeline for when to inform a plan sponsor of a breach and an outline of who will be taking the lead on communication, as well as approval rights for any communication. While it remains an open question whether data is considered a plan asset, plan sponsors nonetheless need to make sure they fulfill their fiduciary duties, he says. One way to mitigate such risks would be to demonstrate the plan sponsor was prudent in how it selected the provider and considered if the provider had effective security in place, he says.

Do Not be Caught Unaware

Michael Stoyanovich, vice president and senior consultant with Segal’s administration and technology consulting practice and based in San Francisco, also suggests plan sponsors keep a closer watch on vendors, as typically they can be among the greatest cybersecurity risks for organizations to manage.

“Third-party risk is one of the higher risks associated with plan data and information, and it’s cumulative,” he says. “The more vendors you share the greater the risk.”

Stoyanovich urges plan sponsors to consider enhancing their third-party risk management program and practices. For instance, he advises regularly reviewing the data and information sent to any third party, since plan sponsors can reduce risk by limiting what data is shared with vendors. Among other things, he encourages including language in contracts allowing the right to review vendors’ third-party annual cybersecurity assessments or audits and audit notifications. He also recommends reviewing minimum cyber liability insurance and asking about past cybersecurity incidents, along with asking for timely notification of any future incidents, should they occur.

“If a plan is doing everything right and passes data and information over to a third party, then it’s kind of a black box,” Stoyanovich says. “They need to be very attentive to third-party cybersecurity programs themselves.”

When it comes to the new SEC rules, which require public companies to disclose a material breach within four days, outline the nature and impact of the incident and steps taken to address it, along with updates on policies and procedures, he suggests companies look to third-party risk as one of the key drivers of their cyber-security risk.

“The reality is they may not meet your standards,” Stoyanovich says. “You have to understand whatever you’re expecting of yourself, you should expect of your third parties.”

Benefits September 1, 2023

How Plan Sponsors Are Working to Close the Gender Savings Gap

With women still lagging in retirement savings, plan sponsors are making changes across retirement, health care and financial wellness to ensure access is as equitable as possible.
Reported by
Art by Mar Hernandez

Plan sponsors are bolstering the amount of attention and effort paid to benefits’ gender equity, focusing on more equitable access to benefits across retirement, health and financial wellness.

Four plan sponsors operating in distinct businesses—discerning that, historically, women have lived longer and saved less, due to lower earnings and a higher rate of leaving the workforce for caregiving responsibilities, than men—regularly review their benefits offerings and implement plan design changes. With an eye toward boosting equitable access to benefits, they have adjusted employee compensation, added mental health benefits, used targeted communications and maintained affordable employee medical care for workers.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

These progressive plan sponsors have used analysis of their plan demographics to grasp the needs of their workforces.

“The whole idea is to help [workers] feel more financially ready, and then, when they feel more secure in their finances and what they’re doing, then maybe they can feel more secure in setting money aside in retirement,” says Angela Garcia, a senior manager of retirement at the Baylor College of Medicine in Houston. “Whereas when I first started in retirement years ago, the biggest concern was, ‘OK, give people education on investments,’ and that was pretty much all you did.”

Mining plan data has helped plan sponsors discern that every employee benefit offered affects another, because retirement contributions, medical bills, credit card debt, student loan debt repayments and wellness programming all, ultimately, are financial concerns.

“If an employer provides a financial wellness solution that includes some kind of data loop that brings back to the employer [and] the vendor anonymized information about their population that gives them an insight as to what’s most important—what are their biggest concerns, priorities, as well as how do they process financial information [and] where are their anxieties?—that empowers and allows the employer to be much more specific and targeted in their solutions,” explains Jonathan Price, the national retirement practice leader at benefits and human resources consultant Segal.

Although several of the plan sponsors interviewed have focused more attention on boosting equitable benefits across gender, persistent disparities have remained in retirement plan access and savings. Recent research from the Pension Research Council found that 48% of men reported having a retirement account, compared with 43% of women.

Why Equitable Access Makes Sense

Plan sponsors say equitable access to benefits is just good business.

Diverse workforces and greater equitability, including more access to retirement, health and wellness and mental health benefits, improve the long-term viability of businesses, explains Mark Smrecek, the financial well-being market leader at WTW.

“Apart from benevolence, there’s a very, very strong tie to business in several key areas, the first of which is from a talent point of view, having equitable access to benefits means that you’re able to attract and retain the right employees, regardless of their cohort,” he says. “This has been a key issue over the past several years, where making sure that organizations are not only equipped to do exactly what they’re intended, but to be best in market and the ability to … attract and retain women in the workforce, men in the workforce, and all sorts of other affected communities in this space is absolutely critical from a talent perspective.”

Greater workforce diversity, equity and inclusion will extend to the entire workforce and company overall, adds Thea Ammon, a senior benefits administrator at OneAZ Credit Union.

“It’s important to have a diverse workforce, period,” she says. “The more different backgrounds [in the workplace] … it’s better for everyone.”

Lucas Hellmer, director of compensation and benefits at engineering firm Salas O’Brien, explains that financially stressed employees are less productive and tend to be shorter tenured.

“Work bleeding into your personal life can also have some negative consequences as well, [because] those people may not be successful with your organization and may ultimately leave [because of] something that may be preventable,” explains Hellmer. “It’s all about retention: It’s not always about profit and loss. … It’s [also] doing the right thing for team members.”

Plan sponsors are plotting to boost retention and reap the rewards of more equitable access to benefits, bolstering pay and benefits for employees while adding benefits including mental health programming.

Boosting Pay

Progressive plan sponsors have a greater understanding that for participants, developing optimal financial behavior for retirement requires solid financial behavior. Retirement is a financial issue, and financial concerns affect retirement planning and employees’ retirement security.

In 2022, “OneAZ made a proactive decision to adjust all wages to salary midpoints,” explains Ammon. “All like positions would be paid the same, regardless of tenure. Of course, anyone above midpoint remained at this wage status.”

The change was intended to drive equitable access to retirement and other benefits.

“While this provided a variety of different positive outcomes [reducing turnover, aiding in talent acquisition and addressing wage compression], it also level-set everyone with transparency,” explains Ammon. “With our [Diversity Equity Inclusion and Belonging] initiatives, the transparency allowed reassurances of equitable pay.”

Boosting Benefits

OneAZ has used automatic features in its plan designs—including auto-enrollment and auto-escalation—and has also used qualified default investment alternative funds, shortened vesting and adjusting the employer match formula for more equity across gender, as well. Previously, the plan used six-year cliff vesting, explains Ammon.  

Another plan sponsor, Salas O’Brien, this year added paid parental leave for both men and women, mental health support and access to the stress management platform Headspace, says Hellmer.

ASM Research plans to add mental health programming to its roster of available benefits in 2024, explains Tammy Lassiter, a senior retirement plan administrator at the Fairfax, Virginia-based plan sponsor.  

“That’s happening because we want people to have more access to mental health providers,” Lassiter says.

The plan sponsor is also making a plan design change next year—reducing from two to one the number of loans an employee can take—supporting participants’ best interests in the long term, according to Lassiter.

Every Benefit Is Financial

At OneAZ, the plan sponsor’s efforts at boosting equitable access to benefits are focused on tying together health and wellness benefits. Providing affordable medical care, wellness and mental health benefits will ultimately drive retirement plan participation and employees to contribute greater amounts for retirement.

Driving more equitable access to benefits is “making sure that everything is affordable,” says Ammon.

The Phoenix-based credit union’s workforce population consists of 62% women, which means “pregnancy is our leading expense, but when you make [medical care] affordable, then the person is less likely to have to dip into that 401(k) for those medical expenses,” Ammon adds. “It’s hard to drive 401(k) participation if you have something else that’s interfering with that, so it’s really looking at: What are those obstacles?”

Conversations about medical care and retaining affordable benefits can start the process to change other areas of benefits and compensation, she adds.

“Associates are not focused on ‘Oh, I have to pay this medical expense, I have to pay my student loans, I want to work out but I have to pay for the gym: Do I pay for the gym or do I save the money?’” Ammon explains. “So if you’re reducing those financial barriers to the rest of [their] life, then the individual has more room to save.”

Closing the Gendered Retirement Savings Gap

Recently, ASM Research added an education strategist from retirement and income solutions at Principal to the plan, Lassiter says.

The specialist reviewed and analyzed the plan, revealing that women participants were saving less for retirement than men.  

“It’s not a huge gap, but it is definitely a gap, when you see [in] every single chart, the women are saving less,” explains Lassiter. “Then we’re wondering, ‘OK, what should we do about it?’”

Driving down that retirement savings gap is now a plan goal, she says.

“I’m going to send out a couple of targeted communications pieces to just the female population—so they understand what we already have to offer—[that] talk about the importance of budgeting and emergency savings and … try to get them to schedule a one-on-one meeting with a financial planner, which we offer,” Lassiter says.

Lassiter is considering forming affinity groups of women and holding education sessions in which women can become more engaged with money and finances.

“[A] focus group would be a good idea, because as a woman, I might understand some of the things that they’re going through and why they’re not saving, but I shouldn’t be assuming what those are, because everyone’s situation is different,” Lassiter adds. “That’s my strategy that I have not yet implemented, that I plan to do and try to get some kind of cross section of people … to talk to [employees] about, ‘What can we do from our side?’ or ‘What can we provide to them that would help them save more money for retirement?’”

«