By Greg Garrett, Beth Lee Garner, and Mary Espinosa
The U.S. Department of Labor (DOL) announced a proposed new rule in October 2019 that would allow retirement plan sponsors to post plan disclosures online, rather than having to deliver this information via physical mail. While the DOL has emphasized that the proposed rule should result in increased convenience and reduced printing and mail expenses for companies, plan sponsors should very seriously consider the cybersecurity issues that accompany the electronic disclosure of sensitive plan and participant information. In fact, it is their fiduciary responsibility to do so.
Background on the Electronic Disclosure Rule
The proposed “Retirement Plans Electronic Disclosure Safe Harbor Rule” offers plan sponsors more options to fulfill their obligation to provide required documents and disclosures to participants and beneficiaries. The DOL expects that the rule, when finalized, will save about $2.4 billion on printing and mailing costs over the next 10 years. The rule applies to most plans covered by the 1974 Employee Retirement Income Security Act (ERISA), but it doesn’t cover employee welfare plans.
The proposed rule includes a safe harbor option allowing plan sponsors to put certain notices on a website, instead of sending paper announcements via physical mail. Before the transition to electronic disclosures, participants will be notified of the coming change and will be provided the opportunity to opt out of the new procedure and continue receiving printed information via mail.
Electronic Disclosure Heightens Cybersecurity Risks
While transitioning to a modern communication format to increase convenience and lower costs sounds very attractive, plan sponsors have a fiduciary responsibility to ensure that participants’ data are protected. The proposed rule remains vague regarding data protection requirements, simply stating that plan administrators must take reasonable measures to ensure confidential information is safeguarded.
Benefit plan documents carry a multitude of sensitive information, such as Social Security numbers, account balances, and home addresses. BDO research into “Cybersecurity Guidelines for C-Suite Executives” shows that intellectual property, personally identifiable information, protected health information, and payment and card information are highly valuable data points targeted by hackers. Even if this information is stored by service providers, plan sponsors are still obligated by law to ensure the information is protected.
How Plan Sponsors Can Prepare for Electronic Disclosure
The good news is that plan sponsors have time to address potential cybersecurity issues as well as review and update current processes before the proposed rule goes into effect. Once the electronic disclosure rule is finalized, it will become effective 60 days after it is published in the Federal Register. The rule will not apply to plans until January 1 of the year following the final rule, so the soonest the rule will be in effect is January 1, 2021.
In the interim, plan sponsors should take a close look at the cybersecurity controls needed to protect sensitive data and other information. BDO recommends a threat-based cybersecurity approach to prevent cyber-attacks and limit the costs associated with a potential breach. This approach analyses a company’s unique threat profile, identifies at-risk areas, and creates a range of proactive steps to safeguard sensitive information.
Some guidelines to a threat-based cybersecurity approach include:
- Hiring an independent firm to evaluate specific areas, including vulnerabilities with email, networks, endpoints, spear-phishing, and other security assessments
- Using advanced software encryption, including two-factor authentication, above and beyond password identification
- Offering effective cybersecurity education and training for the entire workforce
- Developing a solid governance plan to map, track, and secure all data
- Reviewing and testing the organization’s Incident Response Plan (IRP)
- Verifying compliance of the organization’s cybersecurity plan among service providers
BDO Insight: Don’t Let Convenience Trump Security
Information is valuable. Sensitive information is even more so. In fact, U.S.-based organizations paid an average $8.2 million to fix data breaches in 2019, according to a recent analysis by the Ponemon Institute and IBM Security.
The DOL’s proposed rule to allow electronic disclosure of retirement plan information should lead to greater convenience and better transparency for plan participants. But before celebrating the convenience and efficiencies that should accompany electronic disclosure, plan sponsors must take a serious look at their controls to protect against cybersecurity threats. Plan sponsors who rush to modernize communication strategies may wind up spending much more addressing cyber breaches than the amount they save on printing and mailing costs.
Convenience and efficiency are important, but they shouldn’t trump security.
For questions or assistance, contact us at 717-569-2900.
This article originally appeared in the BDO USA, LLP’s Assurance Newsletter (February 2020). Copyright © 2020 BDO USA, LLP. All rights reserved. www.bdo.com.