Administration November 22, 2019

Retirement Plan Sponsors Need Strong Cybersecurity Defenses

A plan sponsor could face legal liability if a breach or fraud of participant accounts occurs.
Reported by
Art by David Plunkert

In October, a former participant in the Estee Lauder 401(k) plan sued the plan sponsor and plan providers for failing to safeguard her retirement account.

According to the complaint, in September and October 2016, an unknown person or persons stole the participant’s retirement savings by withdrawing a total of $99,000 in three separate unauthorized distributions from her account in the plan.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

The lawsuit highlights the importance of retirement plan sponsors having robust cybersecurity defenses.

The two areas of cybersecurity defense that sponsors should be mindful of are breaches and fraud, says Lynda Abend, chief data officer with John Hancock. “A breach is where there is a compromise to your information systems, and there is a large extraction of data,” she says. “Fraud is when that data is used to perpetrate a financial crime.”

Surprisingly, “there is no formalized guidance on cybersecurity, although a number of regulations are coming out,” Abend says. “There are the GDPR privacy regulations in Europe. California is coming out with the Consumer Protection Act, which will impose fines on corporations with data breaches.”

Should a breach or fraud occur, “a sponsor could be liable if the claimant establishes that it failed to follow a prudent process to safeguard the plan data,” says Joan Neri, counsel in Drinker, Biddle & Reath’s ERISA practice. “That is how a liability could develop, and the consequences could be severe. The sponsor would need to make the plan whole, to send notifications about the breach and fraud to participants, and to provide them with identity theft protection. There would be business interruption and reputational risk.”

Neri says sponsors need to be mindful about the sensitive data they manage on behalf of retirement plan participants: their dates of birth, Social Security numbers and account balances. Breaches could occur through phishing, malware or a stolen laptop, she notes.

The first thing that sponsors should do is to ensure that their fiduciary insurance policies have riders that cover cyber breaches, Neri says. “A lot of insurance companies are now offering standalone cyber insurance that is far more complete than a rider,” she adds. “They include things such as access to cyber breach response experts, credit monitoring and technical assistance with public relations.”

Related to receiving underwriting for such insurance are measures sponsors should be taking to avoid a breach or fraud, she says. “Underwriters look at three major factors. First, what sponsors are doing in the way of careful hiring practices and whether they are providing training on cybersecurity best practices. Second, they look at how data is transmitted and who has access. Finally, they scrutinize sponsors’ processes for hiring service providers. There is a whole network of third parties involved in the management and administration of a retirement plan. It is imperative for sponsors to prudently select and monitor their service providers.”

When hiring service providers, sponsors should also look to see whether or not they have a clause about how they handle cybersecurity in their contract, Neri says. “The contract should address limitations and restrictions on how the service provider is using the plan data. They should be encrypting data and destroying data they no longer use, and, if they have subcontractors, it should spell out how they interact with them.”

Most importantly, it should detail “how they will respond to a cybersecurity breach and how they will take efforts to prevent future occurrences,” Neri says. “They should also state that they will preserve evidence because it might be needed to track down the person who perpetrated the breach. It should also include language that they agree to be liable in the event of a breach, and that they will share the costs.”

Indeed, many recordkeepers now offer cyber guarantees that make up for losses up to a certain point, says David Kaleda, a principal in the fiduciary responsibility practice group at Groom Law Group, Chartered. “In a typical recordkeeper agreement or third-party agreement, there are indemnification and warranty clauses,” he says. “Sponsors should check to see if they include provisions that will make a plan whole again” in the event of fraud.

Service providers should also have conducted a SOC (Service, Organization, Control) 2 audit, according to Abend. “Those audits look at their security, availability, processing, confidentiality and privacy of data—and their controls around them,” she says. 

SOC 2 reports are derived from the American Institute of Certified Public Accountants (AICPA) Trust Service principles, Abend explains. They were developed to provide assurance on internal IT controls related to information handling in the Cloud in order to minimize risk and exposure.

In order to handle all of this, it is important to work with an Employee Retirement Income Security Act (ERISA) attorney who is familiar with cybersecurity, Neri says.

It is also important for sponsors to educate participants on best practices for protecting their data, says Jason Lish, chief security, privacy and data officer for Advisor Group’s advisor solutions team. “They can encourage participants to set up multifactor authentication and other types of anomaly identification,” Lish says.

Just as important is “having a cybersecurity management plan in place whereby all of the retirement plan fiduciaries understand what that plan is and how it is executed,” Abend says.

Investing November 20, 2019

What DB Plans Can Learn From Insurance Companies

Insurance companies take on pension risk, so why wouldn’t DB plan sponsors take lessons from insurer’s investment strategies?
Reported by
Art by Andrea D'Aquino

John Simone, managing director and head of Voya’s Insurance Investment Solutions business in Chicago, says old ideas for insurance companies are new ideas for defined benefit (DB) plans.

Just as DB plans are challenged by low interest rates and the late credit cycle, so are insurance companies; they have to meet long-term obligations too. And, as Brett Cornwell, fixed income client portfolio manager at Voya Investment Management in Atlanta, Georgia, points out, it is insurance companies that DB plan sponsors turn to when transferring the risk of their plans.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

According to Cornwell, DB plans, in the last 10 or 15 years, have been adding more fixed income instruments that match the duration of their liabilities, such as long-duration bonds. They have also been moving out of growth-seeking assets. “DB plans are discounted with the AA corporate bond yield, so intuitively, plan sponsors are using more long-duration bonds to match the discount rate,” he says.

But fixed income has grown to 60% or as much as 80% to 90% of DB plans’ portfolios. Cornwell says that’s largely worked, but now it is a risk factor that corporate bond exposure is so high. “LDI 2.0 is more about now diversifying portfolios so they don’t have too much in a corporate bond name or sector,” he says.

When diversifying, some DB plan sponsors take on a lot of risk with non-fixed income assets, Simone says, but insurance company investment ideas do not necessarily dial up risk.

Diversifying from long-duration bonds

A Cerulli Associates survey shows U.S. insurance companies view the late stage of the credit cycle as “very concerning.” In response, nearly two-thirds (64%) plan to increase their allocations to private debt and half expect to add to structured or securitized debt during the next 12 months. Among alternatives investments, which are limited in insurers’ general account investment portfolios due to regulatory capital constraints, a majority of insurers plan to add to infrastructure investments (75%), alternative fixed-income strategies (63%), and private equity (55%).

Cornwell says insurance companies use a variety of securitized sectors—fixed income sectors not as narrowly defined as what DB plans use. He believes DB plans should take a more diversified approach.

For example, insurance companies use investment-grade private placements, which he says is a direct extension of what DB plans are already doing—adding corporate credit. A private placement is a sale of stock shares or bonds to pre-selected investors and institutions rather than on the open market. It is for an investor seeking to raise capital.

Cornwell explains that private placement can offer covenant packages—an investor may be asking for capital to fund a business, so a DB plan loans the investor money. Private placements have “make whole provisions.” Such provisions allow parties to agree in advance on a measure of damages for prepayment of the loan. Lenders use make-wholes to lock in a guaranteed rate of return on their investment at the time they agree to provide the financing, while borrowers may benefit by obtaining lower interest rates or fees than they would otherwise. Cornwell says private placements are credit-oriented instruments that come with protections from downgrades, defaults and credit-rating migrations.

NYC-based Tas Hasan, partner and investment committee member at Deerpath Capital Management, a direct lender to the lower-middle market, says for DB plans, there are elevated leverage levels in direct lending, while generating a low yield. “Pension funds need to generate yield, but in the late credit cycle, they are thinking more about safety,” he explains. “When pushed to take increased risk, the upper-middle market is overheated, so they can move into the lower-middle market. We don’t see an erosion of the quality of loans with an elevated level of risk in the lower-middle market.”

Direct lending is a form of corporate debt provision in which lenders other than banks make loans to companies without intermediaries such as an investment bank, a broker or a private equity firm. The lower-middle market consists of companies with less than $50 million of earnings before interest, tax, depreciation and amortization (EBITDA).

According to Hasan, the reason for direct lending in the lower-middle market is that a lot of capital has been raised in direct lending, but most has concentrated on lending to companies with more than $100 million in enterprise value. More than 80% of those loans are now “covenant-lite,” meaning they lack traditional requirements for companies to maintain certain financial benchmarks that protect the investors who pay for them. In the lower-middle market, there are still protections and covenants in place to mitigate risk.

A sustainable, long-term approach

Mike Anderson, vice president and portfolio manager for asset and liability management (ALM) strategies at Securian Asset Management, based in St. Paul, Minnesota, says, “In my role working with ALM strategies for [insurer’s] general accounts, I look at each liability and work to manage assets against those liabilities, taking a sustainable, long-term approach.”

He says securitized assets help with that. When the overall general account is in investment-grade fixed income, commercial mortgage loans are a good percentage of the portfolio. In addition, fixed income investments include asset-backed securities and corporate credit.

Anderson says regular feedback of liability and longevity information from actuaries helps to improve the ALM process as far as security selection and pricing, especially when thinking of credit risk and liquidity needs.

Jeremy Gogos, vice president and portfolio manager of quantitative strategies at Securian, based in St. Paul, Minnesota, says pension plan sponsors have the advantage of a good projection of liquidity needs. They have the ability to allocate into commercial whole loans and private placements variations, taking on a liquidity premium above that of the insurance market.

According to Cornwell, there are some securitized assets not available to DB plans, but there is still a wide array they can use. He adds that long duration collateralized mortgage obligations (CMOs) have structural protection and collateral that is government-backed. A CMO refers to a type of mortgage-backed security that contains a pool of mortgages bundled together and sold as an investment. Organized by maturity and level of risk, CMOs receive cash flows as borrowers repay the mortgages that act as collateral on these securities.

 

Some key things for DB plan sponsors to consider, according to Cornwell, is that DB plans and insurance companies work under different regulatory environments and DB plan liabilities are valued differently than insurance valuations. Also, DB plans are governed by the Employee Retirement Income Security Act (ERISA), so plan sponsors should consider what is and is not allowable. He adds that there’s some ambiguity about whether DB plan sponsors governed by ERISA can invest in below investment-grade securitized assets, but he believes most would say it is not allowed.

Still, Cornwell says, “We advocate for DB plan sponsors to take investing lessons from insurance companies to the extent it works for their plans.”

«