Training of the retirement plan committee for cybersecurity issues at DOL
People who serve as trustees of their company’s pension plan often feel that they may not be sufficiently informed or qualified to make prudent decisions for the plan. They might ask, “How do you know which investments are prudent?” Or “How much of the plan fee is ‘reasonable'”? Now, the DOL requires plan trustees to carefully assess cybersecurity, which can cause many plan trustees to step out of their comfort zone.
We started to see this develop in Episode 1 of our Reflections series, when a new member of the retirement planning committee expressed concerns about being qualified to help make decisions regarding the new cybersecurity guidelines for the company. DOL. Knowing that the pension plan committee maintains a solid training program, the committee chair reassured the new committee member that future training could help …
Chairman of the pension plan committee: So what did you think of the training?
New committee member: It was long! And, I have to admit, when I saw the diary indicating that our lawyer ERISA was going to do a presentation for 90 minutes, I immediately went for a second cup of coffee! But I was wrong. The presenter was good enough at breaking complex and unfamiliar concepts into bite-sized, easy-to-understand chunks. She certainly allayed some of the concerns I expressed to you last week, while also helping me see how the issue of cybersecurity intertwined with our fiduciary duties..
Member of Committee A: I agree 100%. Until today, I have not fully understood the extent of our fiduciary duty. I thought protecting plan assets just meant making good investments and controlling fees.
Member of Committee B: Yes, but did you hear what the lawyer said? It is not a question of “if” but of “when” we have a breach. So why spend all this time if we’re just going to have a dent anyway?
Chairman of the pension plan committee: Maybe, but the message was not that we had to be perfect, but careful. We must exercise due diligence when making decisions, but we cannot guarantee a result.
Member of Committee B: The lawyer explained that we have to make sure that no one steals money from participants’ accounts. It’s like playing cops and thieves, but now thieves can be thousands of miles away, stealing with a computer. How to deal with this?
New committee member: This is not exactly what I heard. I’ve heard that we need to be proactive, not reactive. We need to think more critically about the risk to plan data and its assets. We need to consider the types of protections that are in place within the business and with any provider that provides services to the plan. We need to know more about what those guarantees should be, and maybe even bring some expertise to help us understand that. We can’t just wing it! And our own IT team may not have that expertise and be on top of the latest types of attacks.
But, she warned, even that might not be enough, as no set of guarantees is perfect. It’s like building a ditch around the plan’s assets, but also realizing that attackers are sophisticated and can find their way around the drawbridge and ditch. So we must be prepared to respond to the inevitable data breach.
I feel better knowing that fulfilling our fiduciary duty doesn’t require us to be perfect, but we also have work to do, including documenting our process.
Member of Committee A: Exactly. You are right. Before the meeting, I was totally confused and had visions of cyber attacks from March. The lawyer explained the situation and gave concrete examples. It was helpful to know that we could develop a roadmap to follow. I feel better that the situation can be resolved if we take the time and effort to figure it out. She took it step by step, identifying some common gaps and mitigation strategies.
Chairman of the pension plan committee: There is definitely a learning curve here, but it looks like we’re on the right track. Tonight was the first step in carefully approaching this new problem and we will be inspired by it. There is a lot to unpack here. For example, it’s not just about passwords, firewalls and encryption, depending on the presentation, we also need to consider identity verification.
We have all approved the distributions and withdrawals requested by participants. Is our process good enough to distinguish a real request from a fraudulent request? How long does each of us actually take to review requests, question the frequency of requests, or determine where they are coming from?
New committee member: The lawyer said she would be at our next meeting, didn’t she?
Chairman of the pension plan committee: Yes, it’s true. She can bring in an IT company to help us further and start making a plan to resolve this issue.
Member of Committee B: It’s good because I spoke with a friend of mine who sits on his retirement plan committee, and DOL has already started auditing plans on these issues. I volunteered to sit on this committee, but I’m concerned about accountability. I want to do more to protect myself and the plan.
The Committee appears to be heading in the right direction. They now realize that they cannot be experts in all aspects of plan administration and that basic training can go a long way in helping them make better, more careful decisions. But they’re also realizing that they need a plan to tackle the process of assessing cybersecurity risks for plan assets and plan data.
Jackson Lewis PC © 2021National Law Review, Volume XI, Number 202