Administration October 6, 2022

How Plan Sponsors Can Combat Cybercrime

A panel hosted by the National Institute on Retirement Security explained that all pension plans are at increased risk, especially plans for public employees, and discussed ways that plan sponsors can mitigate their risk.

Reported by

Pension plans for public employees are at a much higher risk for cybersecurity breaches than private plans, although private plans face plenty of risk themselves, according to an expert panel hosted by the National Institute on Retirement Security yesterday.

The panel featured Peter Dewar, president of Linea Secure; John Rosenburg, an information security officer at the New York State Teachers’ Retirement System; Michael Kreps, an attorney and co-chair at Groom Law’s Retirement Services & Fiduciary Group; and Jefferey Saiger, the chief technology officer at Illinois State Universities Retirement System.

Get more!  Sign up for PLANSPONSOR newsletters.

The panel agreed that public pensions are more susceptible to attack and breach by cyber fraudsters. Kreps argued that public employees’ plans have a “unique vulnerability” because so much of their personal data is publicly available through internet searches by merit of their government employment. This data can then be used to narrow down the remaining information required to take over their retirement account by stealing their identity.

Saiger added that even public records requests, or FOIA requests, are a risk to the security of public systems since they can be used to acquire needed payroll information about public employees and have been used successfully by fraudsters in the past. “We are a ripe target unfortunately,” Saiger said.

The panelists also agreed that though public plans have unique risks, this is a general—and rising—challenge in the industry.

Saiger says the “bad guys are doing their research,” and even if you are paper-based they will submit the paperwork and change of address requests. “They are very well informed, they are viewing this as a business opportunity.” The put in the work and don’t take short cuts, because the opportunities can be so lucrative.

Rosenburg warned that account takeover attempts are becoming more frequent, and that knowledge-based verification, such as asking a client to state their address or phone number, is not as solid as it once was, since fraudsters have access to personal information. He explained that retirement cybersecurity professionals need secondary controls, such as requiring a personal PIN or account number that would be not publicly available.

Kreps explained that his clients are spending a lot of resources on cybersecurity insurance, and that for some the costs of premiums are so high that they have abandoned insurance altogether.

He also cautioned that insurance coverage is very limited, so plan sponsors need to be careful and closely read their plan to understand what is covered and what is not. For example, some insurance policies may only cover you if you require participants to change their passwords every 30 days, and can deny claims on the basis that a plan did not require it. Kreps recommends that providers have access to legal counsel who can explain their insurance plan to them if they are unsure if it is a good value or not.

The panelists offered some recommendations for added cybersecurity.

Rosenburg emphasized that coordination between departments such as IT, risk, legal and cybersecurity is essential to prevent information from being siloed off between them. Regular interdepartmental meetings should be encouraged. He also recommended annual security assessments, and hiring an external service to bring “another set of eyes” to your assessments.

When it comes to training staff at call centers, Rosenburg says that fraudsters will often try to manipulate staff into offering pieces of information that the fraudster lacks, such as by suggesting an answer or appearing sympathetic or forgetful in order to solicit missing pieces of identifying information. It is essential that employees working in customer service be trained to recognize these manipulation tactics, but also be sympathetic to the fact that some clients may be losing their memory or other mental faculties as they age.

On the subject of legal liability, Dewar explained that the Department of Labor requires employers to take certain steps to remain compliant with the Employee Retirement Income Safety Act. Kreps, the only attorney on the panel, confirmed this, and although, “Congress has not figured out how to tackle the issue,” DOL audits ask cybersecurity questions and ask what protections plan sponsors have in place and what they require of their service providers.

Compliance October 6, 2022

Associated Bank ERISA Lawsuit Dismissed

The plaintiffs’ fiduciary breach claims were dismissed, with prejudice, in United States District Court for the Eastern district of Wisconsin

Reported by

A federal judge has dismissed a lawsuit seeking class action certification against fiduciaries of the Associated-Banc Corp. 401(k) and employee stock ownership plan.

U.S. District Court Judge William Greisbach dismissed the plaintiff’s entire lawsuit, brought under the Employee Retirement Security Income Act, in the decision and order granting the defendants’ motion. The defendants to the lawsuit were Associated-Banc Corp, the Associated-Banc Corp. Plan Administrative Committee and 20 unnamed individuals.

Get more!  Sign up for PLANSPONSOR newsletters.

“Defendants’ motion to dismiss is Granted and the case is dismissed with prejudice,” wrote Judge Greisbach. 

Plaintiffs alleged plan fiduciaries engaged in self-dealing and retained proprietary investments that underperformed their benchmarks. Additionally, plaintiffs claim that Associated Trust Company failed to properly monitor and control administrative expenses and charged higher fees for services than similarly sized plans and caused plan participants to pay excessive recordkeeping and administrative fees for similarly sized plans to subsidiary Associated Trust Company.

“Plaintiffs assert that defendants breached their fiduciary duties of prudence and loyalty to the detriment of the Associated Banc-Corp 401(k) and Employee Stock Ownership Plan, its participants, and its beneficiaries,” the order to dismiss states. “They also assert that Associated Bank failed to adequately monitor the fiduciaries responsible for administering the plan.”

Defendants are alleged to have breached their fiduciary duties to participants “by applying an imprudent and inappropriate preference for products associated with Associated Bank within the plan, despite their poor performance and lack of traction among fiduciaries of similarly sized plans,” according to the complaint.

From 2014, retirement plan assets totaled between $453 million and $690 million, for between 5,600 and covered 7,000 participants, court documents show. The plan “consistently ranked in the top half of the 99th percentile of all defined contribution plans by size,” plaintiffs stated in the complaint.

Judge Greisbach bounced each claim argued by plaintiffs in the complaint.  

Plaintiffs incorporated, into an amended complaint charts to purportedly show that in-plan funds underperformed alternatives with similar asset allocations, levels of risk and greater acceptance by fiduciaries of similar plans.

The documents consisted of Associated Bank’s Form 5500s and Morningstar fund fact sheets “all of which defendants rely heavily upon in their arguments,” judge Greisbach wrote in the order.

He noted the competing arguments, by plaintiffs and defendants, cited relevant case law and legal precedent, to conclude the fund fact sheets were not sufficient grounds to state claim.

“[Whereas] in certain cases consideration of fund fact sheets not attached or referenced in the complaint may be appropriate, especially where there is no dispute as to the accuracy of the documents,” Greisbach explains. “But in a situation such as this, where plaintiffs specifically allege that the information included on the fact sheets is inaccurate, consideration of the fact sheets would be inappropriate. As was the case in Miller [v. Astellas], although the complaint refers to Morningstar on three occasions, the amended complaint does not refer to the specific fund fact sheets submitted by defendants.

“Because the fund fact sheets are not attached to the complaint, central to the complaint and referred to in it, or information that is properly subject to judicial notice, the court may not consider them at this stage.”

The complaint further alleged defendant’s mismanagement of the retirement plans harmed participants and resulted in “costing the plan missions of dollars in excessive administrative fees,” plaintiffs claimed.

The plaintiffs asserted that defendants improperly included “proprietary investments overwhelmingly rejected by fiduciaries of similarly sized plans, when a nonconflicted fiduciary would have selected among the more popular and better performing nonproprietary alternatives available,” the judge’s order states.

Plan fiduciaries improperly included unpopular, expensive and underperforming in-plan proprietary investments—the Associated Balanced LifeStage, Associated Growth Balanced LifeStage funds and Associated Equity Income Fund—while superior nonproprietary alternatives were available and more frequently used by “nonconflicted fiduciaries,” plaintiffs alleged.  

Judge Greisbach was unconvinced: “The facts alleged in support of these conclusory allegations, however, fail to plausibly support them,” he wrote.

“In the absence of allegations plausibly alleging underperformance of a character and degree sufficient to support an inference that defendants breached their fiduciary duties to the participants, the allegations that defendants included proprietary funds in the plan that no other similarly sized plans included adds nothing.”

Among 34 different funds offered by the plan, eight, or below 25%, were Associated-branded funds, Greisbach explains.

“As to the three funds highlighted in the amended complaint, the allegations of underperformance do not create an inference of imprudence because they are based on short-term performance,” he states in the order to dismiss. “Short-term performance is an unreliable indicator of overall performance because it can mask year-to-year performance and is a poor predictor of future performance.”

Greisbach’s order also dismissed plaintiff’s allegations that Associated Bank’s subsidiaries, Associated Trust Company and Kellogg Asset Management, breached their fiduciary duty to prudently and loyally monitor the underlying collective investments trusts of Associated Bank funds in the plan.  

Associated Bank CITs comprised up to 45% of the underlying holdings of the Associated Bank asset allocations funds in the plan, costing participants 45 basis points, while comparable managers charged 10 bps for similar services that “defendants could have obtained the same CIT portfolio management services,” the plaintiffs argued. 

“[P] laintiffs’ claim is that ATC and Kellogg were imprudent and disloyal by utilizing Associated Bank’s proprietary funds as underlying investments of Associated Bank’s LifeStage Funds,” judge Greisbach wrote. “Plaintiffs’ allegations are insufficient to state a plausible claim on these grounds.”

The lawsuit sought an order compelling the defendants to personally make good to the plan all losses that the plan incurred because of the breaches alleged and an order requiring Associated Bank to disgorge all profits received from the plan, among other things.

The lawsuit was brought in 2021.

Requests for comment to plaintiff’s attorneys and Associated-Banc Corp. were not returned. 

«

 

You’re viewing the second of three free articles.

 Subscribe to a free PW Newsletter! 

…subscribing gets you free access to PW’s online content!

 SUBSCRIBE & GET FREE ACCESS! 

If you’re a subscriber, please login.