Compliance December 22, 2022

Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats

Plan sponsors should begin with the Department of Labor’s guidance on cybersecurity, proceed to fill an arsenal of safeguards to protect and secure retirement plan data, assets and participants.
Reported by
Art by Jam Dong

If Department of Labor guidance for plan sponsors, fiduciaries, recordkeepers and participants on best practices for maintaining cybersecurity is the start, then finding the best way forward is the puzzle for employers.

From July 2019 through December 2021, there was a 65% increase in identified global exposed losses (loss that includes both actual and attempted loss) from email compromise attacks, which often target both individuals and businesses who perform legitimate transfer-of-funds requests, according to Federal Bureau of Investigation data included in a bulletin earlier this year.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

The FBI data shows 241,206 domestic and international incidents from June 2016 to December 2021, totaling an exposed dollar loss of $43.3 billion.

Account takeover attacks, in which a hacker accesses an existing account using stolen credentials, have affected 22% of U.S. adults, more than 24 million households. Costs are estimated at $11.4 billion in total losses from breaches in 2021, according to a September brief from Pi by Paytm Labs, a machine-learning-powered fraud risk management platform.

While ransomware threats are now the most acute risk in the cyber-attack landscape, the threat landscape changes continually and demands constant vigilance, explains Tim Rouse, the executive director of the SPARK Institute, a Washington D.C.-based nonprofit and advocate for recordkeepers and the retirement industry.

SPARK members, in recent years, focused the most attention on protecting plan data for plan sponsors, but this has changed in the last four or five years, he says.

“We started, for the first time, to see the criminal actors utilizing data to then get access to the participants’ retirement assets, which was very alarming,” explains Rouse.

Cyberattackers used go after an individual’s personally identifiable information, he says. Attempted perpetrators “started to use that personal identifiable information to then get into retirement accounts and into other accounts, too,” Rouse adds. “Each [SPARK] member firm started to put in protections on their own, but then our data security oversight board got together and worked on fraud best practices, and we implemented those about four years ago.”

SPARK’s Data Security Oversight Board’s recommendations for fraud prevention include using multifactor authentication, and they provide guidance on penetration testing, a process whereby a “white-hat hacker,” is hired by a company to expose a plan sponsor’s internal IT system weaknesses, Rouse says.  

Brenda Sharton, a partner in the Dechert law firm and co-chair of its global privacy and cybersecurity practice, says the most critical processes and procedures for plan sponsors to have for cyberattack protections are as follows:

  • Extensive and ongoing training for every employee;
  • Requiring that security-system logins have multifactor authentication; and
  • Ensuring cyberattack insurance is current, covers ransomware and does not include a war exclusion provision.

“Most threat actors, including the most sophisticated ones, get in through phishing emails, and there is no limit to the training that you could do—you’re only as weak as your weakest employee, and you want to have that happen at all levels,” she says. “[In] over two decades … every single year, the cyberattacks go up and to the right in terms of frequency and sophistication, and never have we seen a more dangerous environment.”

There are many different types of cyber insurance for employers to evaluate, including multiple types of coverages.  

“Ensure that there’s no act-of-war exclusion, so that the insurer can’t then say, ‘It was a nation-state threat actor, so we’re not paying for this,’” adds Sharton. “When [plan sponsors are] renewing cyber insurance, [they must] make sure they focus in on that clause and that the insurer doesn’t try to use it..”

The Federal Trade Commission has also compiled tips for evaluating cyber insurance on a government website.

Additionally, plan sponsors must have a robust incident response plan in place and ensure it is written down somewhere, says Sharton: “Ask yourself, ‘Does everybody know exactly what they need to do and what they should be doing in an incident?’ And then keep a paper copy with contact information, [including] who are you going to call and who’s supposed to be doing what?”

Sharton identifies the most critical attack threat currently faced by plan sponsors as ransom attacks that compromise vendors or third-party partners.

“We’ve also seen an uptick in nation-state attacks, but [plan sponsors are] less of a target for that type of threat actor,” Sharton says. “Then, lastly, insiders are always an issue that they should have on their radar screen as well.”

In 2023, she expects cyberattackers to use a mix of old- and new-school tactics, Sharton says.

“[Attempts include] drop[ping] thumb drives in the elevator banks or in the lobby to see if somebody picks one up,” Sharton says. “They’ll try to get into a[n office] premises—because [at] many work environments, there’s been many new hires during COVID[-19], and if they’ve had a hybrid [work] situation or people haven’t been coming into the office, it’s easy to get in and tailgate [by pretending to be] new.”

Steven Rabitz, co-chair of Dechert’s employee benefits and executive compensation practice and leader of the national fiduciary practice, advises plan sponsors to start with the DOL guidance and, from there, proceed to fill in the blank space to protect their plans. Plan sponsors must understand the DOL guidance also served as a reminder that employers must fulfill their functional fiduciary duty with respect to plan and participant data, he explains.

 The DOL’s 2021 published guidance was the agency reaffirming the risk from vendors improperly protecting information. It reflects a greater focus by the regulator on cyber security protection for retirement plans, Rabitz says, because the DOL outlined the responsibilities of a retirement plan fiduciary with respect to participant and other plan-related data.

The DOL stated that fiduciaries have an obligation “ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems includes measures calculated to protect personally identifiable information,” Rabitz wrote in an email, citing the DOL’s published guidance.

“[The DOL] has recognized the threat and has tried to signal strongly that it is, in fact, a functional fiduciary duty to make sure that your [retirement plan] data is preserved, that you’ve done appropriate diligence, in light of your fiduciary duties, to ensure you believe that your vendors are safeguarding information,” he says. “Plan fiduciaries and [plan] sponsors do have an obligation to make sure that participant information is appropriately safeguarded, and then how that’s done and the best practices as to how that’s done, functionally, is facts and circumstances.”

Compliance October 13, 2022

ESG Bluster Leads to No Effect for Three States’ Retirement Systems

For state pension funds considering environmental, social and governance investments, the sustainable strategies may be mightier than the letter.
Reported by
Art by Gizem Vural

Several state retirement funds continue to operate as nonpolitical entities for public employee participants, despite clashes with BlackRock over the suitability of sustainable investing.  

Three state pension funds—Alabama, Indiana and Kentucky—have not changed investment strategies to put sustainable investments on the shelf, according to state pension officials.

The AGs’ eight-page dispatch in August blasted BlackRock for “using state pension fund assets in environmental, social and governance investments to force the phase-out of fossil fuels, increase energy prices, drive inflation and weaken the national security of the United States.”

Despite the letter—written by 19 Republican state attorneys general—that outlined how the group believes BlackRock is using “the hard-earned money our states’ citizens to circumvent the best possible return on investment”—nothing has changed at the Alabama, Indiana and Kentucky state pensions, according to officials.  

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

“It had no change at all,” explains David Eager, executive director, Kentucky Public Pensions Authority. “We are focused on retirement assets and retirees and our fiduciary responsibility, and that letter had no impact on us.”

Under Kentucky state laws, any investment strategy or allocation to an ESG investment must pass muster on its own merits. The state retirement system is guided and governed by an investment policy statement, that “all investments are made for the exclusive benefit of retirees,” Eager adds.

“We would look at each investment and say from an opportunity and risk standpoint ‘is this an attractive investment,’ we wouldn’t avoid a security unless the ESG factors would adversely affect their operations and financial future,” he says. “We wouldn’t, for example, ban all energy stocks: We’d look at each energy stock on its own merits.”

Marc Green, CIO, Retirement Systems of Alabama, agreed that the state attorney generals’ letter has not affected the state defined benefit pension and supplemental defined contribution plan.

“We don’t have any actual restrictions or policies in place that guide us as far as ESG investing,” he says. “[ESG is] something that we’re aware of but it doesn’t really drive the bus here.”

Green adds, “we manage all of our assets internally with the exception of one small sleeve, and from a staffing perspective and the subjective nature of ESG, we’re aware of what’s going on out there but it’s not something that we’re going to alter our process for in [the] very near future by any stretch.”

Indiana pension fund participants cannot select ESG investments, according to a spokesperson for the Indiana Public Retirement System.  

“ESG investments are not and have never been on the investment menu for the [defined benefit] plan or available for members to choose for their [defined contribution] investments,” says the statement. “INPRS’s investment policy statement clearly outlines the way the funds entrusted to investment managers must be invested, and that is to reach the organization’s pecuniary goals by using monetarily based investment principles to achieve its risk-adjusted rate of return of 6.25%.”

While the ESG controversy—sparked by Republican-led states—has not changed how three operate, in Louisiana, the state treasurer doubled down by banning BlackRock from state investments.  

In a letter to CEO Larry Fink, Louisiana Treasurer John Schroder says the state removed $794 million from BlackRock funds and that divestment is necessary to protect Louisiana’s fossil fuel sector from harmful actions and policies. “Your blatantly anti-fossil fuel policies would destroy Louisiana’s economy,” the letter states.


“[Y]our support of ESG investing is inconsistent with the best economic interests and values of Louisiana,” Schroder wrote. “I cannot support an institution that would deny our state the benefit of one of its most robust assets. Simply put, we cannot be party to the crippling of our own economy.”

 

Legal Layers   

State retirement systems are not governed by the Employee Retirement Income Security Act as employer-sponsored 401(k) plans, yet they are governed by state laws that similarly mandate fiduciary duties to participants of loyalty, prudence and care.

Ditching ESG factors completely could add to the litigation risks faced by state plans and bring heightened vulnerability to challenges based on breach of fiduciary duty claims, explains Josh Lichtenstein, partner and head of ERISA Fiduciary Practice at Ropes & Gray.

“From the direct legal consequences, [states] run the risk of challenge[s] that they’re making investment decisions that do violate prudence,” he says. “[For] pretty much every state, their state pension statute directly copies the ERISA fiduciary standard and so while the states don’t generally have a lot of decision authority or regulatory authority in interpreting exactly what their standards mean, there’s a lot of federal court precedent on interpreting what the fiduciary standard means when the exact same words were used in ERISA.”

State pension funds that decide to completely remove ESG factors from consideration may be courting unnecessary fiduciary risks and litigation, he adds.

“[States] do run the risk of allegations of breach of their fiduciary duties and in some states that can mean [a] constitutional breach because sometimes these are built into the constitutions or breach of statutory obligations where they’re built into the statute,” Lichtenstein says. “It’s a real risk that they run that somebody can allege—if we’re talking about limitations in an investable universe—if they’re finding both that the number of investments they can make is limited and if they’re thereby getting lesser returns than other similarly situated plans that have a broader universe of investments. You can imagine how somebody argues that making an investment without considering those economic ramifications would itself be a breach of fiduciary duties and can look to the body of case law on ERISA to draw some interpretive strength to that argument.”

The largest effects of the GOP state pushback to ESG investments and BlackRock, at least initially, could be to investment managers and advisers, rather than state retirement plans, adds Doug Davison, partner with global law firm Linklaters. 

“It kind of causes a shockwave through the investment adviser world,” he says.

He adds, “It almost feels like a lose-lose to some clients, not a win-win.” 

The State Level


For Kentucky, sustainability factors, which may affect the financial outlook, reputation and riskiness of an investment in addition to liabilities and assets on a company balance sheet “would be a judgment call” for the state retirement system to allocate assets, according to Eager.

“It could be [a bad environmental record], sure but our internally managed investments are indexed, and we don’t pull stocks out of the index for any reason,” he says.

In addition to indexed internally managed investments, Kentucky partners with myriad third-party investment managers that oversee portions of the state pension funds.

Notwithstanding the state attorneys’ general dispatch to BlackRock blasting ESG investments as not appropriate for state workers, the Kentucky Public Pensions Authority—an apolitical entity—does not need to reconcile the two as competing forces, Eager says.

The state’s fiduciary duty to participants is ensured through the structure of the Kentucky system, which intentionally mitigates political influence, according to Eager.  

Eager explains that Kentucky invests the assets of workers under the confines and allowances of state fiduciary law.

“We are governed by a retirement board that is elected by members and appointed by the governor, independent of state influence beyond that,” he notes.

He adds that Kentucky state retirement plan trustees recognize the importance of responsible investing.

“Accordingly, the trustees acknowledge that integrating environmental, social and governance policy principles that engage the issue of risk, opportunity and fiduciary duty perspective will enhance the investment result,” he says. “The overriding consideration for the trustees will continue to be investing to maximize long-term returns for plan beneficiaries.”

By Eager’s description, in Kentucky, there is room for ESG investments in the Kentucky state plan, although he cautioned that maximizing investment returns for participants is the goal. “The last statement is the overriding consideration: looking for attractive investments,” he says.

“What’s particularly unique for the [state] plans is many of the trustees are political appointees, so the fiduciary standard is quite broad and can be interpreted in different ways. That’s what we’ve seen play out,” says Davison.

Green, of Alabama, explains that, for the state pension and supplemental DC plan, generating the optimal investment returns are the highest goal for the state plan, “to hit our actuarial assumed rate of return over the course of time so we can pay our beneficiaries.”

Similarly to Kentucky, the state does consider ESG factors, including board compensation and company governance, he adds.  

“If we have an issue with a stance that management is taking, we do vote against management or against management recommendations quite often and that’s nothing new,” Green explains. “Governance has always been an issue here.”

Despite the political positions taken on ESG by several state officials, it will remain to be seen exactly what long-term effects will manifest, if any, according to Lichtenstein of Ropes & Gray.

“In Florida, they now have a policy of very broadly excluding investments based on ESG, but it’s not clear that’s going to actually lead to divestitures or that it’s actually going to lead to firing of managers in lieu of other managers. The impact of that very well may just be that the state pension boards are more careful about which particular funds that a manager offers [and] they may invest in or which particular strategies,” he says. “And they may document their investment decisions a little bit more to explain in greater detail exactly what their economic rationale is and that they’re not really investing based on the ESG rationale at all. But it’s not clear that they’re going to actually force divestiture from all ESG investments.”

«