PSNC 2021: Fiduciary Mistakes to Avoid

ERISA attorneys advised plan sponsors to shore up their cybersecurity efforts and continue regular benchmarking work.

The second day of the 2021 virtual PLANSPONSOR National Conference (PSNC) featured a lively discussion among four attorneys and a financial adviser as part of the “Fiduciary Mistakes to Avoid” panel held Tuesday morning.

With so many new regulations and pieces of legislation to keep up with, even the most diligent plan sponsors can lose sight of all the tasks that need to be done, or make a mistake, the panelists said.

“Compliance issues are often interrelated,” said Percy Lee, an associate attorney with Ivins, Phillips & Barker.

Along those lines, plan sponsor fiduciaries need to follow more than just the Employee Retirement Income Security Act (ERISA) and guidance from the Department of Labor (DOL), he said. They also need to comply with IRS rules, Health Insurance Portability and Accountability Act (HIPAA) regulations and state laws, as well as the General Data Protection Regulation (GDPR) if the firm has a presence in the European Union.

He also said plan sponsors need to encourage their committees to document fiduciary discussions and integrate those key points into their requests for proposals (RFPs).

Sponsors can get help with all of this from their ERISA attorneys, retirement plan advisers/consultants or benefits brokers, Lee said. The thing to keep in mind when trying to keep up with all of these requirements, he added, is that some of them are not “commandments or regulations,” which is why the insight of fiduciary partners can be so helpful.

Cybersecurity Guidance and Simulations

One issue that should be top of mind for sponsors right now is the restricted use of plan participant data, as spelled out in the recent Northwestern University and Shell lawsuits, Lee said. This should lead sponsors and their advisers and consultants to hold conversations on data security and privacy, he continued.

He also said the recent DOL guidance on cybersecurity should make sponsors aware that they need to elevate participants’ “online ‘street smarts’” when it comes to their protection of their accounts and personal data.

“The DOL guidance affirms the importance of cybersecurity measures when selecting recordkeepers and other vendors with access to plan information,” Lee said. “Sponsors must conduct due diligence on policies, procedures and track records, and formalize these commitments into their service agreements. They must then continue to evaluate them, and document that.”

This can be done simply, through education, he suggested, noting that “the end user has a critical role in reducing harm from cyberattacks.”

Forward-thinking retirement plan advisers are also using “red team/blue team exercises” in their cybersecurity efforts, said Michael Kane, managing director of Plan Sponsor Consultants. In these exercises, a “red team” is a group that plays the role of an enemy or competitor attacking a company’s cybersecurity defenses and provides security feedback from that perspective, and the “blue team” fights back against the simulated intrusion.

Moderator W. Michael Montgomery, managing principal with Montgomery Retirement Plan Advisors, said he is aware of more and more plan sponsors going through these simulations, but because the security findings are so sensitive, most companies keep those findings and discussions at the retirement committee and/or board of directors level. “There is a hesitancy to get that detailed,” Montgomery said.

That is where the “use of appropriate experts can help [plan sponsors] make the appropriate decisions” with respect to their cybersecurity protocols, said Michael Rosenbaum, a partner with Faegre Drinker Biddle & Reath. “There are secrets that they want to protect. Generally, we see sponsors talk about this in committee meetings.”

Regular Benchmarks

One fiduciary duty that sponsors need to exercise on a regular basis, said Summer Conley, a partner with Faegre Drinker Biddle & Reath, is benchmarking or conducting due diligence on plan providers on a regular basis.

But they shouldn’t stop just there, she continued. Sponsors must ask themselves, “‘Who else should I benchmark? What else is overlooked?’” Conley said. “They shouldn’t just be focusing on recordkeepers. Rather, they should consider anyone providing services that are being paid for their services. That includes trustees, auditor(s), investment consultants, actuaries and others. They need to benchmark these providers and select a provider for a reasonable fee—and there is a range of ‘reasonableness’ where that is concerned. That is the key point, not that they should pick the cheapest provider all the time.”

A rule of thumb that sponsors can keep in mind is to keep their eyes and ears open to developments and new services in the industry, Rosenbaum said.

In other words, don’t be that plan sponsor who “gets in a five-, six-, 10-year ‘comfort zone,’” he said.