Administration April 8, 2020

Ensuring Cybersecurity in a Remote Work Environment

Extra measures need to be taken for HR and benefits staff working from home to keep employee and retirement plan data secure.
Reported by
Art by Tim Peacock

The rapid shift from office to remote work over the past month has left employers questioning their cybersecurity practices.

“There’s a sudden need to test all those tools, in addition to adding a lot of cyber hygiene security and protocols from the home environment that weren’t always as easily emphasized in the workplace,” says Ben Taylor, senior vice president at Callan, an institutional investing firm in San Francisco.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Because human resource (HR) professionals are working online, past HR processes completed in a paper format are now done through the computer. This adjustment is one of the principal impacts, as workers are rapidly adapting to the swift change. “There’s a need to rapidly adapt the paper processes that otherwise can’t be done as easily in this environment,” Taylor says.

While some companies may be in good shape using secure virtual private networks (VPNs), virtual desktops and multi-factor authentications, the reality is that many have not implemented those same practices, says John Jurik, area executive vice president at insurance, risk management and consulting firm Gallagher. “Others may not have those systems in place or have not worked through de-risking employee remote access from personal devices over home networks and Wi-Fi that may not be secured like their corporate networks,” he adds.

This unexpected and abrupt move in these workforces, without much training on preventative cyber-hack measures, can thus produce multiple hacking attacks such as spear-phishing and on personal devices, Taylor notes in his report on the cyber risks in working remotely. To combat the threat of hacks, the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS) released insights on avoiding cyber issues that arise from the effects of COVID-19, including how to protect privacy during virtual meetings, telework and email.

Cyber threats aren’t limited to those without security measures, however. Companies that have incorporated even the most sheltered practices are still under threat, as employees are now working in their homes with weaker Wi-Fi security systems. “Hackers know people are working remotely and therefore are on networks that are less heavily secured and less robust from a redundancy standpoint than the traditional corporate or government networks that they’re normally on,” Taylor adds.

For benefits and providers’ staff, including HR, prevention should be the first imperative task, Jurik notes. He explains how phishing—the practice of sending fraudulent emails while masking as reputable companies to gain personal information—and other social engineering techniques can easily fool workers. One of the best protections is implementing training for both HR staff and employees, eyeing suspicious emails that ask for password renewals and login credentials, and applying secure network connections to access company information, Jurik says. Employees should not be logging into their accounts or emails through personal devices. “As a plan sponsor, you should implement processes and controls to restrict access to plan systems, applications, data and other sensitive information,” he recommends.

Plan sponsors can also look to their financial advisers and providers for support, especially those well-versed in cybersecurity practices, to develop a retirement plan-specific cybersecurity risk management strategy. Should a breach occur, having a plan in place with appropriate notices and remediation efforts can secure confidential information related to the retirement account, while allowing employers and team members to move swiftly, Jurik says. Reviewing the retirement plan providers’ cybersecurity approach and any updates being made in light of COVID-19 could add further clarity. “Communication between plan sponsors, recordkeepers, and advisers and ultimately participants has never been more important,” Jurik stresses.

The most important concept to note about data protection is that most networks are at risk of being compromised and strained, Taylor contends. The fear over the current state of news allows opportunities for hackers to intrude networks, so enhancing cybersecurity practices is vital. Keeping up with cybersecurity best practices, such as using a VPN, multi-factor authentication and password protection, reminds workers to be vigilant, while keeping their employee and retirement plan data secure.

Investing April 3, 2020

Plan Sponsors Should Be Extra Vigilant During Severe Market Volatility

For both DB and DC plan sponsors, fiduciary actions follow a different time frame when there is a sustained market crisis.
Reported by
Art by Dadu Shin

Regardless of the current market volatility, retirement plan fiduciaries should always be acting prudently and in the best interest of their participants. However, some sources say, there are particular questions fiduciaries should be asking themselves at this critical time.

Jim Scheinberg, managing partner, founder and chief investment officer (CIO) at North Pier Search Consulting, says sponsors of defined benefit (DB) plans “should be checking that their assets are conforming to their written investment policy statement [IPS]. The drawdown in equity values has been substantial.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

“Their funding levels could be below their targets and possibly below the ranges to which they are bound within their investment policies,” he says. “Some of them are having conversations about rebalancing liquidity displacements in certain asset classes. The problem is, there is no bid in some of those areas, so timing has to be factored into the equation. Committees might need to be changing policies or extending latitude.”

For defined contribution (DC) plans, Scheinberg says, “An area that should be on the front burner of retirement plan committee agendas in the coming quarter is the evaluation of the qualified default investment alternative [QDIA], specifically those that use target-date funds [TDFs]. The QDIA selection process has been relatively easy during the bull market. But this extreme volatility is exposing features that might be more risk prone and perhaps not appropriate for the demographics for whom they were chosen.

“The biggest issue for TDFs and the way they were selected for many plan sponsor portfolios still to this day has been influenced by the preferential pricing of proprietary funds of recordkeepers. Some of the TDFs are in the more aggressive category. Fiduciaries need to revisit that.”

While it is not a fiduciary responsibility, educating participants about how to access their capital through hardship withdrawals or loans is certainly a best practice and a way for plan sponsors to act sensitively toward participants, Scheinberg says. “They should be letting participants know that the CARES Act allows for them to take up to $100,000 from their plans without paying the 10% IRS tax penalty.”

The Coronavirus Aid, Relief and Economic Security (CARES) Act created a new emergency retirement plan distribution option dubbed the “coronavirus related distribution,” or “CRD” for short. A CRD can be drawn from an employer sponsored retirement plan such as a 401(k) or from individual retirement accounts (IRAs) in any amount up to $200,000. Under the terms of the CARES Act, the normal 10% penalty tax levied on early plan distributions by the IRS is waived. In addition, the law doubles the amount of loans that participants can take—from $50,000 to $100,000.

Companies also should consider permitting participants to continue to pay off their loans even after separating from a company to avoid going into default on those loans, he adds.

Bryan Cave Leighton Paisner has a blog on the subject of fiduciaries’ duties at this time. In light of the extreme market volatility, the law firm maintains that fiduciaries should be asking questions of their investment managers and advisers: “When the circumstances include a volatile market, acting prudently may require a fiduciary to research more, ask more questions or more regularly seek expert advice. Many investment managers and plan providers are offering to meet to reassess investment performance and strategy in light of market changes and to discuss fiduciary responsibility and strategy. They are also providing educational materials for responding to market changes. Fiduciaries should utilize these resources and/or take similar action on their own. Since this duty emphasizes process over outcome, fiduciaries should take care to document the actions they take as well as the process behind such actions.”

Likewise, Spencer Fane has a blog on the subject in which it notes that fiduciaries must act prudently  in light of “the circumstances then prevailing.” Fiduciaries should meet to ask how current market conditions could affect their retirement plan. “Consider calling a special meeting to evaluate the situation,” Spencer Fane says. “Waiting until the next regularly scheduled meeting of the fiduciaries–which could be months away–might not be considered prudent in light of the market’s volatility.”

Sponsors of DB plans, Spencer Fane adds, should “consider asking their actuaries to conduct mid-year valuations taking into account current market conditions, so that any contribution increases necessary to avoid at-risk or endangered status can be spread over a longer period.”

«