Plan Sponsors Must Focus on Cybersecurity – How Broad Are Their Fiduciary Shoulders?
Corporate America loves to manage its retirements plans. The motivation for this is unclear as the upside is limited, and the downside keeps increasing. With creative litigation exploding and expanding the burden, now, plan sponsors can add cybersecurity to the laundry list of competencies that are required of plan fiduciaries.
In the old days, retirement committee members were covered if they understood the basic asset allocations of their pension plans and the selection of its asset managers. In retrospect, the fiduciary life was much simpler then. With the introduction of 401(k) plans, skill sets had to expand to include selection of investment options and a host of service providers, including recordkeepers and administrators. Importantly, as a result of a decade’s worth of “fee litigation”, these fiduciaries now need to understand the intricate pricing techniques of the mutual fund industry. This includes multiple share classes, revenue sharing, and expense benchmarking.
Recently, there has been an uptick in ERISA litigation focusing on cybersecurity. The risks here are high, as plan participants aren’t just accessing their accounts electronically to monitor their progress and make investment selections, they are also making withdrawals. Furthermore, the recent CARES act allows certain plan participants to take in-service distributions and loans. Practically speaking, courtesy of the pandemic, electronic activity within Plans has increased significantly. Already cyber-thieves have managed to create false accounts, false passwords and have been able to initiate fraudulent withdrawals from retirement plans.
Like it or not, plan fiduciaries have now been thrown into the wild world cybersecurity. In order to stay a step ahead of cyber criminals, protect participant assets and stay out of the crosshairs of the plaintiffs’ lawyers, best practices must evolve quickly to include cybersecurity issues.
ERISA lawyers and consultants are now compiling detailed diligence monitoring lists to assure that recordkeepers and administrators have adopted state of the art cybersecurity capabilities and safeguards. And recently, the U.S. Department of Labor has issued new cybersecurity guidance for plan sponsors. If mastering mutual fund fee structures wasn’t enough of a burden, now plan fiduciaries must dig into the nitty gritty of electronic account access, password policies, and control testing. And, while they are at it, insurance and fidelity bond coverage must now be reviewed to explore coverage in the event of a cybersecurity loss.
Remember, it is not good enough for plan fiduciaries to have a “passing” knowledge of these issues, nor even reasonable knowledge. Instead, plan fiduciaries and investment committee members must be “prudent experts. Imagine being the head of Human Resources, the General Counsel, or a senior treasury official, and having to add cybersecurity expertise to the already long list of fiduciary responsibilities? No doubt in the time of COVID-19 their plates are already full with their day jobs. How broad are their shoulders?
As the world continues to evolve and as the risks and responsibilities of running a retirement plan continue to increase, plan sponsors should be thinking differently. Delegating fiduciary oversight to an independent fiduciary can relieve investment committees from these responsibilities. Let the independent fiduciary be an expert on the various fee structures crafted by the mutual fund industry. Let an independent fiduciary implement, monitor and be responsible for cybersecurity policies and procedures. Doing so would allow company executives and investment committee members to focus on their own bottom lines. And it would allow them to focus on generating earnings rather than on the business of running and maintaining a retirement plan.