by Mary B. Andersen, CEBS, ERPA, QPA
‘Lost in Space” was a popular television series in the 1960s. Sabotage by crew member Dr. Zachary Smith threw the ship off course and launched endless adventures. Today’s equivalent of Dr. Smith is an unauthorized computer hacker who breaks into data security systems and wreaks havoc on confidential information. The ensuing adventures are anything but fun.
The possibility of cyberdata sabotage is now a day-to-day threat that frequently makes the headlines—and employee benefit plans are not spared exposure to data sabotage.
Lost or Hijacked Data
Employee benefit plan administration has become an outsourced commodity. Data is often transferred multiple times to multiple service providers (for example, from the payroll department to the contract recordkeeper to an actuary, then on to a trustee). Employee benefit plan data includes sensitive information such as Social Security numbers, dates of birth, and addresses.
The EBSA Advisory Council to the U.S. Department of Labor (DOL) has been studying the issue of cybersecurity for benefit plans for some time. The council—which comprises 15 representative members, including for plan sponsors, participants, and service providers who are appointed by the secretary of labor—issued a report on this threat to plans and participants in November 2016 in the form of a PowerPoint presentation.
The presentation recommended establishing a strategy that:
- Identifies how retirement plan data is accessed, stored, controlled, transmitted, and maintained;
- Considers existing cybersecurity frameworks (National Institute of Standards and Technology [NIST], Health Insurance Trust Alliance [HITRUST], Support Anti-Terrorism by Fostering Effective Technologies Act [SAFETY Act] of 2002, and industry-based initiatives); and
- Establishes process considerations (such as protocols and policies covering testing, updating, reporting, training, data retention, and third-party risks, etc.).
Plan sponsors subject to the Health Insurance Portability and Accountability Act (HIPAA) already have conducted a security risk assessment for their protected health information (PHI). They should consider extending that process to retirement plans.
Cyber Risk Assessment
In addition to the strategy mentioned above, the U.S. Department of Homeland Security (DHS) has a Cyber Resilience Review (CRR) Self-Assessment Package. The package enables the user to generate a report based on the plan’s answers to the assessment’s questions.
Even if you have your own cyber risk assessment policy in place, it might be worth comparing it with the DHS assessment, developed at the Carnegie Mellon University Software Engineering Institute.
There are many benefits to plan sponsors of implementing a cybersecurity risk assessment, including:
- Protecting sensitive employee information;
- Avoiding negative mention in national headlines; and
- Potentially enabling a more efficient and faster ERISA audit. Less time spent on the audit equates to lower fees.
The CRR Self-Assessment package is divided into the following sections:
- Asset management;
- Controls management;
- Configuration and change management;
- Vulnerability management;
- Incident management;
- Service continuity in the event of a disruptive event;
- Risk management;
- External dependencies (examines controls where assets are dependent on the actions of third parties);
- Training and awareness; and
- Situational awareness.
Make sure your retirement plan management priorities for 2017 include a cybersecurity risk assessment.
At the same time your plan is preparing for lost data from cybersecurity threats, it should be ready to find lost participants.
DOL Employee Benefits Security Administration (EBSA) regional offices, located in Philadelphia and Boston, have been examining how plan sponsors pay benefits to participants. The Philadelphia office is focusing on large defined benefit plans and examining a plan sponsor’s procedures for locating missing participants. The Boston office is examining whether plan fiduciaries are following plan terms related to distributions, and what plan sponsors are doing regarding uncashed benefit checks.
Until 2012, the IRS had a letter forwarding program assisting plan sponsors trying to locate lost participants. The program has now been dropped due to the many free search tools available to plan sponsors.
DOL’s Field Assistance Bulletin 2014-01 outlines steps to be taken when terminating a defined contribution plan; these steps are relevant to any missing participant search. They include:
- Acceptable search steps (already in use by many plan sponsors):
- Use certified mail;
- Check other employer plans, for example, health plans, for potentially more up-to-date participant records;
- Contact the designated beneficiary; and
- Use free electronic search tools.
- If the above steps fail to find the lost participant, additional steps may be necessary, depending on the size of the account balance and the cost of further search efforts. Additional steps include:
- Other Internet search tools;
- Commercial locator services;
- Credit reporting agencies;
- Information brokers; and
- Investigation databases and analogous services.
PBGC to Help the Search for Lost DC Participants
The PBGC introduced proposed regulations in September 2016 that would expand its missing-participant search efforts to those in defined contribution (DC) plans, of both active and terminated status. Instead of establishing an individual retirement account (IRA) at a financial institution, the plan will be able to choose to send the money to the PBGC.
The PBGC would add the missing participant to its database, hold the money, and periodically search for the participant. There would not be any ongoing maintenance fees or distribution charges, and interest would be paid on the account by the PBGC. The agency anticipates implementing the expanded program in 2018, after receiving public comments and publishing a final regulation.
Bottom Line for Plan Sponsors
Do you as plan fiduciary know what your procedures regarding lost participants and cybersecurity are?
Given the heightened government scrutiny of benefit distributions, it is wise to review current lost-participant and uncashed check situations. Do you have procedures for locating lost participants? Do you use them? Can you prove it? If not, then add this to the top of your priority list for 2017.
What do you know about your company’s cybersecurity? Who owns the company administering it? What are the internal and external cybersecurity procedures and controls for your benefit plans? Have you added questions about cybersecurity to your requests for proposals (RFPs) and your contract renewals? How will your vendors support you in the event of a cybersecurity incident? Here are a few other considerations in this area related to your service providers:
- Does your service agreement include procedures related to cybersecurity?
- Have your service providers ever had a data breach?
- What are the service provider’s processes for finding and defending a data breach?
- How frequently does the service provider conduct a risk assessment?
- How will you be notified if there is a breach?
- Does the service provider have insurance to cover a breach?
- Does the service provider use an independent cyber expert to audit cybersecurity procedures?
Your best defense against a cybersecurity attack is preparation. Plan as if an attack is inevitable. Share these processes and procedures with your internal and external partners. And document all of your key operational processes and procedures.
Mary B. Andersen is president and founder of ERISAdiagnostics Inc., an employee benefits consulting firm that provides services related to Forms 5500, plan documents, summary plan descriptions, and compliance/operational reviews. Andersen has more than 25 years of benefits consulting and administration experience. Andersen is a CEBS fellow and member of the charter class. She also has achieved the enrolled retirement plan agent designation. Andersen is the contributing editor of the Pension Plan Fix-It Handbook.