Coaching the Pension Plan Committee on DOL cybersecurity considerations
Individuals serving as trustees for their company’s retirement plan often feel they are not adequately informed or qualified to make prudent decisions about the plan. You may be asking, “How do I know which investments are prudent?” Or “What level of plan fees is ‘appropriate’”? Now, the DOL requires plan trustees to evaluate cybersecurity carefully and may lead many plan trustees further out of their comfort zone.
We saw this move in episode 1 of our Musings series when a new member of the Pension Fund Committee raised concerns that it was qualified to make decisions about the new DOL cybersecurity guidelines. Knowing that the Pension Plan Committee has a solid training program, the committee chair assured the new committee member that some upcoming training could help …
Chairman of the Pension Committee: So what do you think of the training?
New committee member: It was long! And I have to admit, when I saw the agenda that our ERISA attorney would present for 90 minutes, I immediately went for a second cup of coffee! But I was wrong. The moderator was pretty good at putting complex and unfamiliar concepts into easy-to-understand, bite-sized pieces. She has certainly allayed some of the concerns I raised with you last week while helping me see how the cybersecurity issue is intertwined with our fiduciary duties.
Committee member A: I agree 100%,%. To date, I have not fully understood the scope of our duty as trustees. I thought protecting assets in the plan simply means making good investments and controlling fees.
Committee member B: Yes, but did you hear what the lawyer said? It’s not about the “if”, but about the “when” we have a violation. So why spend all this time doing it when we’re only going to have one breach anyway?
Chairman of the Pension Committee: Maybe, but the message was not that we have to be perfect, but that we should be careful. We must exercise due diligence when making decisions, but we cannot guarantee a result.
Committee member B: The lawyer has stated that we have to be careful that no one steals money from participant accounts. It’s like playing cops and robbers, but now the robbers can be thousands of miles away and steal your computer in one fell swoop. How should we handle this?
New committee member: That’s exactly what I didn’t hear. I’ve heard that we have to be proactive, not reactive. We need to think more critically about the risk to the plan’s data and assets. We need to consider the types of safeguards that are in place in the company and with any vendor providing services for the plan. We need to learn more about what these safeguards should be and maybe even bring in some expertise to find out. We can’t just wing it! And our own IT team may not have this expertise and be aware of the latest types of attacks.
But, she warned, that even that may not be enough, since no security precautions are perfect. It’s like building a trench around the Plan’s assets, but also realizing that the attackers are clever and can use the drawbridge and trench to find their way around. So we need to be prepared to respond to the inevitable data breach.
I feel better knowing that we don’t have to be perfect to do our fiduciary duty, but that we also have some things to do, including documenting our process.
Committee member A: Exactly. You’re right. Before the meeting, I was totally confused and had visions of cyber attacks from Mars. The consultant explained the situation and provided specific examples. It was helpful to know that we could develop a roadmap that we could follow. I feel better that the situation can be addressed if we take the time and effort to understand it. She went through it step by step and identified some common shortcomings and strategies for mitigation.
Chairman of the Pension Committee: There’s certainly a learning curve here, but it sounds like we’re on our way. Tonight was the first step to approach this new issue carefully and we will build on that. There is a lot to unpack here. For example, it’s not just about passwords, firewalls and encryption, but also about identity verification.
We all have approved distributions and withdrawals requested by attendees. Is our process good enough to distinguish a genuine request from a fraudulent one? How much time does each of us actually take to review inquiries, question the frequency of inquiries, or consider where they are coming from?
New committee member: The lawyer said she would be there for our next meeting, right?
Chairman of the Pension Committee: Yes that’s right. She can call in an IT company to help us out and start working out a plan to solve this problem.
Committee member B: That’s good because I spoke to a friend of mine who works on his pension plan committee and DOL has already started looking at plans on these issues. I volunteered to serve on this committee but I am concerned about liability. I want to do more to protect myself and the plan.
The committee seems to be moving in the right direction. They now realize that they cannot be experts in all aspects of plan management and that some basic training can help them make better, more prudent decisions. However, they also recognize that a plan is needed to address the cybersecurity risk assessment process for plan assets and plan data.
© 2021National Law Review, Volume XI, Number 202