Products May 3, 2019

SPARK Creates Definitions for Cybersecurity Terms

“These definitions provide a level platform for vendor evaluation as it relates to cyber security breach and fraud,” says Rasch Cousineau, a senior consultant with the Hyas Group.

Reported by

Reading the words “cybersecurity breach” and “cyber fraud” on the news, email, or in general can alone cause panic. But what constitutes a security breach, and how a recordkeeper should inform a plan sponsor about cyber-related events continue to be unclear throughout the industry.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

As plan sponsors are growing their emphasis on cybersecurity safety, “security breach” and “cybersecurity” are becoming key issues in recordkeeping contracts, says The SPARK Institute. To develop better understanding on the terms and its meanings, the company, through the work of its Data Security Oversight Board (DSOB), has developed common definitions for these terms, made publicly available.

“It’s important to keep in mind that these definitions serve as guidelines and do not supersede state and/or federal laws, legislation, or regulation”, says Dennis Lamm, a member of SPARK’s DSOB from Fidelity Investments, who headed up the task force responsible for developing these definitions. “Our objective was to create a reasonable approach consistent with best practices and industry standards that will serve to protect participants, simplify discussions and get to an agreement more quickly.”

According to SPARK, over 11 months, the DSOB Task Force worked with definitional examples from national cyber standards, international regulations, state privacy laws, and client contracts and gathered insights from the plan consultant representatives on the board.

“As Plan Fiduciaries evaluate their third-party vendors, cybersecurity measures and standards have become increasingly relevant,” says Rasch Cousineau, a senior consultant with the Hyas Group. “These definitions provide a level platform for vendor evaluation as it relates to cybersecurity breach and fraud.”

The set of definitions includes two examples, Security Breach and Cyber Fraud, according to the report. For illustrative purposes, examples of a Security Breach include: “A successful attack on a recordkeeper’s network or information system which results in authorized acquisition of participant records,”; “An intrusion into a recordkeeper’s external cloud account that results in the attacker acquiring unencrypted personal data stored within the environment;” and more.

Cases behind Cyber Fraud include participants disclosing account usernames and passwords via phishing email links; and compromised computers holding forms of keystroke logging malware.

SPARK makes it clear in their report that definitions are “not intended to supersede state and/or federal laws, legislation, or regulation, but are meant to establish a base of communication between recordkeepers and plan sponsors regarding Security Breaches and Cyber Fraud events.”

Data and Research May 3, 2019

GAO Reviews Retirement Savings Leakage

The GAO interviewed retirement plan stakeholders and found several ways to stem the tide of funds leaving 401(k)s and IRAs.

Reported by

In 2013, workers in their prime working years, i.e. those between the ages of 25 and 55, removed $69 billion of their retirement savings early, according to a GAO analysis of data from the IRS and the Department of Labor (DOL).  The bulk of the leakage was from individual retirement accounts (IRAs), with $39.5 billion being removed from these accounts. That represented 3% of total IRA holdings and exceeded contributions in that year. 

The $29.2 worth of withdrawals from employer-sponsored retirement plans came in the form of hardship withdrawals, lump-sum payments made at job separation and loan balances that were not repaid. Hardship withdrawals were the largest source of early withdrawals from 401(k) plans, with 4% of participants between the ages of 25 and 55 taking out $18.5 billion in hardship withdrawals in 2013. This was equivalent to 0.5% of the total assets in 401(k) plans and 8% of total contributions to these plans in 2013.

Cash outs of account balances of $1,000 or more were the second largest source of early withdrawals, with 1.1% of participants between the ages of 25 and 55 withdrawing $9.8 billion of assets that they did not roll into an IRA. Loan defaults accounted for $800 million withdrawn from 401(k) plans in 2013.

The GAO then took a look to see if there were certain demographic and economic characteristics among those cashing out of their plans early. Those between the ages of 45 and 54 took higher IRA withdrawals than younger folks. In addition, those with a high school degree or less were more likely to cash out or take a hardship withdrawal. Families with five to eight members were more likely to take this action, as well as those who were widowed, divorced or separated.

In addition, leakage was more likely among African-American and Hispanic individuals than it was among those who characterized themselves as White, Asian or Other, and the incidence of IRA withdrawals and hardship withdrawals was higher in non-metropolitan areas than among individuals living in metropolitan areas (7% and 6%, respectively).

Individuals working for employers with fewer than 25 employees had a higher incidence of IRA withdrawals (9%), along with those working fewer than 35 hours a week (7%) and those with household debt of $5,000 up to $20,000 (14%).

Those with a household income of less than $50,000 had a higher incidence of IRA withdrawals and hardship withdrawals—as well as those with less than $1,000 in cash reserves (10%), less than $5,000 in retirement assets (7%) and who had participated in their retirement plan for less than three years (6%).

“Stakeholders GAO interviewed identified flexibilities in plan rules and individuals’ pressing financial needs, such as out-of-pocket medical costs, as factors affecting early withdrawals of retirement savings,” according to GAO’s report, “Retirement Savings: Additional data and analysis could provide insight into early withdrawals.” The report says, “Stakeholders said that certain plan rules, such as setting high minimum loan thresholds, may cause individuals to take out more of their savings than they need. Stakeholders also identified several elements of the job separation process affecting early withdrawals, such as difficulties transferring balances to a new plan and plans requiring immediate repayment of loans, as relevant factors.”

Stakeholders said that to mitigate this leakage, sponsors should consider a wide variety of solutions: permitting workers to continue to repay loans after job separation; limiting loan access to only workers’ contributions to their retirement plan, not company matches; building emergency savings features into plan designs; implementing a waiting period after loan repayment before a participant can access a new loan; reducing the number of outstanding loans; making short-term loan programs from third-party vendors available to participants; simplifying the rollover process; eliminating hardship withdrawals, which, unlike loans, are not repaid; and offering financial wellness programs to help employees with budgeting, emergency savings and credit management.

GAO notes that the ability to transfer balances from one retirement plan to another is important, as the DOL’s Bureau of Labor Statistics reported in 2017 that from 1978 to 2014, workers held an average of 12 jobs between the ages of 18 and 50.

GAO concludes that “billions of dollars continue to leave the retirement system early. Although these withdrawals represent a small percentage of overall assets in these accounts, they can erode or even deplete an individual’s retirement savings, especially if the retirement account represents their sole source of savings.”

An executive summary of GAO’s report can be viewed here, and the full, 50-page report can be viewed here.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

«