PSNC 2024: Lisa Gomez Talks Cybersecurity, AI, Retirement Security Rule

Assistant Secretary of Labor Lisa Gomez, the head of the Employee Benefit Security Administration, discussed a number of issues that are top-of-mind for plan sponsors—including concerns about cybersecurity, missing participants and the Retirement Security Rule—at the PLANSPONSOR National Conference in Chicago on Wednesday. 

But overall, Gomez said it is important for plan sponsors to reflect on what they are trying to accomplish with offering a retirement plan and who they want the plans to benefit, emphasizing the need to course correct if plans are not serving the needs of all participants. 

“We find that there are there’s so much [research] out there saying that the people who are really benefiting from these plans are the higher earners…” Gomez aid. “Let’s be honest with ourselves. Are we okay with how things are, and who is saving and how much they’re saving. If we’re not okay [with it], how much are we, as the collective retirement industry, going to do to try to fix it?” 

Regarding cybersecurity, Gomez said as attacks and data breaches have become increasingly more common in the retirement industry, the Department of Labor is continuing to work with plan sponsors to ensure they are implementing best practices when it comes to cybersecurity. 

Cybersecurity, AI 

In 2021, the DOL released guidance on best practice standards, which included information on maintaining a documented cybersecurity program, conducting prudent annual risk assessments, encrypting sensitive data and more.  

With respect to artificial intelligence, Gomez said there has been a lot of focus within the DOL on how AI can be used in a way that is “responsible and protective,” while also not missing out on the opportunities that a tool like AI can bring. 

“The [Biden] Administration, and particularly within the Department of Labor, [has been] very focused on making sure that workers and employers are part of the discussion on responsibly using AI,” Gomez said. “…We don’t have anything specifically out on AI yet, but … plans should be considering those general best practices for cybersecurity when thinking about implementing AI.” 

Gomez stressed it is vital that plan sponsors are wary of some of the dangers that could result from AI. For example, she said some in the industry, including plan sponsors and recordkeepers, have talked about using voice recognition as a way to verify they are speaking with a participant or beneficiary. However, she said voice recognition may not be the most reliable source, as bad actors have the ability, through using AI deepfakes, to mimic voices. 

She said AI, including tools like Chat GPT, could be helpful in creating plan documents and notices to participants, but again, she said it is important to be aware of the potential dangers and issues with tools like Chat GPT, as it is a “crowdsource tool” that only knows what is has been taught.  

Missing Participants, Lost & Found Database 

Another main focus of the DOL right now is connecting participants with benefits they have earned but may have lost track of, and finding missing participants, Gomez said. SECURE 2.0 mandated that the DOL must create a national, online “lost and found” database for participants to track their retirement accounts. 

Gomez said the DOL has a deadline of December 29, 2024 to create the database. She said once the DOL develops the tool and populates the database, it needs to educate plan sponsors and participants on how it works.  

However, she said a challenge in creating the database, as there is no central data of information that the DOL can pull from to populate the database, even though plan sponsors and administrators are already reporting a lot of the missing participant information to the government in some way. 

“We don’t have all that information just out there for the taking of a government agency,” Gomez said. “We’re working hard with our colleagues at the Treasury, the IRS and the Social Security Administration to figure out if there’s a way to share some of that information that’s already reported. That has not gone as well as we had hoped, and things take longer than sometimes you hoped that they would take.” 

As a result, the DOL also issued an information collection request in April, asking plan administrators to voluntarily turn over information to the DOL that would enable it to populate the lost and found database. 

“I think that the incentive to plan sponsors and plan administrators to voluntarily provide his information does lie in if we have this database, it will be one more tool that will be helpful in trying to engage with and connect participants so that you can pay out amounts that [they are owed],” Gomez said. 

In addition, Gomez said there is a project on the DOL’s regulatory agenda to look at lifetime income “in a more direct way,” as translating the savings that a participant has accumulated throughout their working years into an income stream in retirement is a daunting task. 

Retirement Security Rule 

Gomez also spoke about the passage of the Retirement Security Rule in April, which clarified for plan sponsors and individuals how fiduciary obligations under ERISA apply to investment professionals dealing with retirement-related investments.  

A main takeaway of the rule for plan sponsors, Gomez said, is that they are considered “retirement investors.” 

“We wanted to make sure that… if [plan sponsors] are going out to get investment recommendations that they understand, no matter what type of professional they’re going to and what type of investment vehicle is being discussed, that all of them will be protected under this rule.”  

Essentially, if a professional is providing an investment recommendation to a “retirement investor,” that advice needs to be in the best interest of the investor—not the provider, Gomez explained. 

“We recognize that the great majority of financial professionals are [already] working under rules like this one, and they’re providing good services for a reasonable price and [are] being upfront with their participants,” Gomez said. “We wanted to create a level playing field so that everyone is working under the same rules.”