Compliance December 13, 2023

Report: DOL Information Security Needs Improvement

An audit of the Department of Labor’s program determined it is ineffective.

Reported by

A yearly audit found that information security programs at the Department of Labor contain weaknesses, demonstrating the regulator failed to fully adhere to applicable Federal Information Security Management Act requirements and other guidance.

Professional services firm KPMG LLP conducted the audit and made three recommendations to strengthen the regulator’s information security program. It also found, “based on testing,” 38 prior-year recommendations were closed and 31 recommendations remained open, according to the “FY 2023 FISMA DOL Information Security Report: Making Improvements Toward an Effective Program.”

Get more!  Sign up for PLANSPONSOR newsletters.

KPMG found that the DOL’s information security program did not fully adhere to applicable FISMA requirements, Office of Management and Budget policy and guidance, and National Institute of Standards and Technology standards and guidelines.

The “DOL’s system-level security policies have not been updated to comply with” these applicable standards and guidelines, Carolyn R. Hantz, the DOL’s assistant inspector general for audit, wrote in a letter accompanying the report.

The Federal Information Security Management Act was passed in 2002—as part of the Electronic Government Act—setting guidelines and security standards to protect government information and operations.

FISMA requires every federal agency to develop, document and implement agency-wide information security programs. 

To be FISMA compliant, regulators must:
  • Perform system risk categorization of information systems, according to their risk levels, to ensure that sensitive information and high-value-asset systems are given the highest level of security. The categorization process considers the type of information contained in or processed by a system and determines what security controls are needed;
  • Meet baseline security controls. Federal systems must meet minimum security requirements as outlined in the National Institute of Standards and Technology Security and Privacy Controls for Information Systems and Organizations Special Publication 800-53;
  • Document the controls in the system security plan and maintain that documentation;
  • Evaluate system risks regularly to validate current security controls and determine if additional controls are required;
  • Conduct annual security reviews; and
  • Implement continuous monitoring.

“We remain concerned that the prior-year finding of compliance with NIST SP 800-53, Rev. 5, remains outstanding,” Hantz wrote. “By not updating the department’s policies and procedures to be compliant, the Chief Information Officer is not taking necessary steps in mitigating IT risk for the department.”

Based on the issues identified, there are concerns from inside the DOL “about the remaining corrections needed in [office of the chief information officer]’s oversight and accountability over DOL’s information security control environment,” according to the Office of the Inspector General’s summary of the report.

KPMG noted further deficiencies in the development and implementation of supply chain risk management security controls, plan-of-action and milestone reviews, configuration management controls and the enforcement of rules of behavior acknowledgement.

“We are also concerned about the findings of unimplemented supply chain risk policies and undocumented configuration deviations, which diminish the Chief Information Officer’s ability to ensure the foundational steps to manage IT risk for the department are taken,” Hantz wrote.

KPMG reported seven findings for DOL’s information security program within two of five cybersecurity framework functions and four of nine FISMA metrics.   

A security program is considered effective if the calculated score of the Cybersecurity Framework Functions is rated at least Managed and Measurable (Level 4), the report stated.

The DOL’s office of the chief information officer “generally” concurred with KPMG’s findings, pledging to resolve each of the identified issues.

“All recommendations identified have been remediated or plan to be remediated in FY 2024,” the report summarized.

KPMG LLP conducted the audit on the DOL’s information security program for the period of October 1, 2022, through June 30, 2023.

A DOL representative did not return a request for comment on the report.

Benefits December 13, 2023

Unum Group Sees Early Success With Emergency Savings Program

The insurance provider launched its emergency savings program in April, allowing participants to contribute up to $10,000 to the account each year.

Reported by

Since launching an emergency savings program in the spring of this year, financial insurance provider Unum Group has seen significant success, with nearly 500 employees—out of the company’s 10,500 U.S. employees—participating in the program.

The program is offered through Unum’s 401(k) plan, administered by Fidelity, allowing participants to contribute any amount up to $10,000 to a fund that can be utilized to pay for any unforeseen expenses, without having to dip into retirement funds or use credit cards.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

Initial Success

A total of 491 employees have enrolled in the program since its initial launch, with combined contributions of $943,285, according to Unum, with the average savings per employee at $1,414 through November.

When designing the emergency savings program, Carl Gagnon, Unum’s assistant vice president for global financial well-being and retirement programs, explains that he wanted to add automatic enrollment and go beyond what the SECURE 2.0 Act of 2022’s optional provision offered.

One of the SECURE 2.0 emergency savings provisions allows a plan sponsor to create a sidecar emergency savings account to which participants can contribute up to $2,500 per year. Gagnon felt that amount of savings was not substantial enough to help with unexpected expenses, so Unum’s program has a $10,000 limit, with participants contributing on an after-tax basis.

“In addition to our pre-tax 401(k) plan and our Roth post-tax plan, we added a true non-Roth post-tax source to our 401(k) plan,” Gagnon says. “We decided, since safe harbor plans exist for a reason:  to leave the investment structure open for [the emergency savings account].”

Unum worked with Fidelity, the firm’s third-party administrator for its 401(k) plan, to build the emergency savings account into the 401(k). Gagnon says Fidelity did not have the infrastructure available until April to institute a second auto-enrollment feature for the emergency savings account. As a result, Unum launched the program voluntarily in ,almost one year before SECURE 2.0 became law, which saw a lot of interest from employees right off the bat.

Employees are now automatically enrolled into traditional retirement savings at a 5% deferral rate, , with any new hire or rehire who started on or after April 3 defaulting into the post-tax emergency savings plan at 1%.

“We’ve seen our post-tax source, which was at $0 just a while ago, climb to almost $1 million during this period through the end of October,” Gagnon says.

As the automatic enrollment portion of the program was launched in April 2023, most of the employees who were automatically enrolled were not officially enrolled until 45 days after hire. So far, Unum only has three months of data but found that about 35% of new hires have kept the automatic enrollment in place.

Participants Take Advantage of Program’s Flexibility

The program comes at a time when the majority of Americans say they cannot afford a $1,000 emergency expense, according to Bankrate.

Similar to its 401(k) plan, Unum allows employees to set a deferral percentage that ranges from 0% to 50%. The emergency savings program has the same investment options as the company’s 401(k) plan, which means employees’ emergency savings have the opportunity to grow.

Employees can start or stop deductions and can withdraw funds from the account at any time. If an employee does not use the funds, they may be used as additional retirement savings. Since the emergency savings program is a post-tax source within the 401(k) plan, money in the plan can also be used toward retirement savings.

Gagnon says current participants have been withdrawing funds from their emergency accounts—to date, Unum Group employees have withdrawn $329,888 from the emergency savings program—but notably, 85% still have a remaining balance.

“We’re pretty pleased with that, because it goes to show that people are using it for its intention,” Gagnon says. “People are saying, ‘I have $2,000 in emergency savings, but I need that new transmission or four new tires for my car and I don’t have a source, so I’m going to take out $800 or $900 and leave the [remaining] balance in emergency savings.’”

Time will tell whether the program will cause people to stay in the plan and how many participants will utilize emergency savings, but Gagnon predicts that over the next three to four years, 50% to 60% of Unum employees will have an emergency savings account.

“We’re really pleased with the early results,” Gagnon says. “We think it’s the way to go, [and] we think it’s an easy way to implement [emergency savings].”

Unum conducts a total well-being survey of employees every 18 to 24 months, and Gagnon says there will be a correlation analysis of the people who started recently emergency savings accounts to see if their well-being scores increase.

In addition to the emergency savings program, Unum has plans to add an in-plan annuity to its 401(k) plan by the end of the first quarter of 2024, as well as a qualified longevity annuity contract in early 2025.

«