Industry & Regulatory News

Washington Pulse: Department of Labor Releases Cybersecurity Guidance

Recent cyberattacks have gotten a lot of attention. Some of these hacks have created turmoil through a broad swath of the business community. But another widespread menace threatens our financial security. In fact, even as you read this, the global threat of cybercrime continues around the clock as criminals try to steal retirement plan assets.

A recent Government Accountability Office (GAO) report recommended that the Department of Labor (among other things) establish minimum expectations for addressing cybersecurity risks in retirement plans. According to recent estimates, IRAs and defined contribution plans alone hold well over $10 trillion in assets. And they are ripe for exploitation. On April 14, the DOL’s Employee Benefits Security Administration (EBSA) issued—for the first time—guidance for plan sponsors, fiduciaries, recordkeepers, service providers, and plan participants on best practices for maintaining cybersecurity. This guidance comes in three pieces.

While the links above bring you to the full text of the DOL’s guidance, here are some of the highlights from each.

Tips for Hiring a Service Provider with Strong Cybersecurity

Business owners want to run their businesses. So they often hire third-party vendors to handle matters outside their core competencies. This is also true for administering a retirement plan. Employers regularly look to recordkeepers, third-party administrators, and other service providers to conduct a plan’s day-to-day operations. These suggestions may help business owners and others to select and monitor those who provide plan services.

  • Ask about security standards, audit results, and other practices and policies; look for service providers that use an outside auditor to review cybersecurity.
  • Look for contract provisions that allow a review of audit results to verify whether providers comply with industry standards.
  • Ask about past security breaches—and about the provider’s response to any such breaches.
  • Find out whether they have sufficient insurance coverage to cover losses caused by identity theft and other cybersecurity breaches (both internal and external).
  • Make sure that the contract requires ongoing compliance with cybersecurity and information security standards—and use caution if the contract limits responsibility for IT security breaches.
  • Try to include additional cybersecurity-enhancement terms in the contracts, such as
    • a requirement that the provider obtain an annual security audit;
    • clear provisions on using and sharing confidential information;
    • prompt notification of security breaches, and an investigation into the causes of any breaches;
    • assurance of compliance with all laws pertaining to privacy, confidentiality, or security of participants’ personal information; and
    • adequate insurance coverage (including for errors and omissions, cyber liability, and data breach), which employers should understand to avoid surprises.

Cybersecurity Program Best Practices  

This second EBSA piece points out that “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Keep in mind that many service providers carefully avoid taking on an employer’s fiduciary duties. This does not mean, however, that these providers are somehow abdicating their responsibilities. To the contrary, most service providers recognize that, in order to compete in today’s retirement plan marketplace, they must adhere to the highest compliance standards. And employers—as fiduciaries—must select and monitor providers to make sure that these standards are met. So these EBSA best practices can help employers meet their own fiduciary duties by “making prudent decisions on the service providers they should hire.” They can also help service providers see how their current practices measure up, and then take action to improve any deficiencies.

EBSA lists 12 practices that a plan’s service provider should adhere to.

  • A formal, well-documented cybersecurity program. The organization should fully implement a program that identifies internal and external cybersecurity risks.
  • Prudent annual risk assessments. The organization should document the assessment’s scope, methodology, and frequency.
  • Reliable annual third-party audit of security controls. An independent auditor should assess the organization’s security program—including any documented corrections of weaknesses.
  • Clearly defined and assigned information-security roles and responsibilities. An effective cybersecurity program must be managed at the senior executive level and executed by qualified personnel.
  • Strong access control procedures. This helps guarantee that users are who they say they are. It also ensures that they have access to the data they seek. These access privileges should be reviewed at least every three months and disabled or deleted in accordance with a clear policy.
  • Cloud-stored data-security reviews and independent assessments. Because cloud computing raises unusual security concerns, employers must be able to evaluate how a third-party cloud service provider operates. Protections should include certain minimum provisions, such as multi-factor authentication and encryption procedures.
  • Cybersecurity awareness training for all personnel. Because employees can be the weakest link in cybersecurity, frequent training on identify theft and current trends in security breaches is essential.
  • Secure System Development Life Cycle Program. Such programs ensure that regular vulnerability assessments and code review are integrated into any system development. Best practices include requiring validation if a distribution is requested following changes to an individual’s personal information, or if a request is made to distribute an individual’s entire account balance.
  • Business Resiliency Program. Providers need to quickly adapt to disruptions while keeping assets and data safe. Core components of an effective program include a business continuity plan (for business functions), a disaster recovery plan (for IT infrastructure), and an incident response plan (for responding to and recovering from security incidents).
  • Encryption of sensitive data stored and in transit. This includes encryption keys, message authentication, and hashing (which can be used, for example, to avoid storing plaintext passwords in a database).
  • Strong technical controls. Best security practices include robust (and current) antivirus software, intrusion detection, firewalls, and routine data backup.
  • Responsiveness to cybersecurity incidents or breaches. Prompt action should be taken to protect the plan, including notifying appropriate agencies and individuals (e.g., law enforcement, insurer, participants), investigating the issue, and fixing the problem.

Online Security Tips

The final installment of EBSA’s three-part release gives practical pointers that retirement account owners can use to reduce cybersecurity risk. Some tips are fairly self-evident reminders about creating and protecting passwords, avoiding free Wi-Fi networks, and recognizing phishing attacks. Some other tips may not be so obvious—and they bear mentioning here.

  • Register, set up, and routinely monitor online accounts for retirement plans. Failing to register for an online account may enable cybercriminals to assume an account owner’s online identify. Account owners that regularly check their accounts can help detect and respond to fraudulent activity.
  • Use multi-factor authentication. This requires a second credential (like texting or emailing a code) to verify the account owner’s identity before an inquiry or transaction is allowed.
  • Keep personal contact information current. Account owners should ensure that their contact data includes multiple ways to reach them (by phone, text, or email). This will enable more effective communication if there is a suspected security breach.
  • Close unused accounts. Even dormant accounts can contain personal information. If an account isn’t needed, close it. Why give fraudsters the opportunity to steal data?

Next Steps

The previously mentioned GAO report also recommended that the DOL formally state whether cybersecurity is a fiduciary responsibility under ERISA. The DOL declined. It stated that fiduciaries must already “take appropriate precautions to mitigate risks of malfeasance to their plans, whether cyber or otherwise.” Instead, the DOL identified minimum expectations for reducing cybersecurity risks, which should be undertaken by all private-sector employer-sponsored defined contribution plans.

This best-practice guidance (and other tips) does not specifically apply to other types of plans. Nevertheless, prudent employers, financial organizations, and service providers should certainly consider this guidance when determining their approach to cybersecurity for other plans, such as IRAs and healthcare plans. Any time that an entity maintains access to personal information of clients, it must rigorously protect that data. Adhering to EBSA’s cybersecurity best practices is a good place to start.

Ascensus will continue to monitor future guidance on this subject and on other retirement and healthcare plan topics. Visit ascensus.com for the latest updates.

 

Click here for a printable version of this issue of the Washington Pulse.


IRS Publication Provides Some Details on Beneficiary Rules and CRD Repayments

The 2020 tax year version of IRS Publication 590-B, Distributions From Individual Retirement Arrangements (IRAs), reflects the following noteworthy updates pursuant to the passage of the Setting Every Community Up for Retirement Enhancement (SECURE), Coronavirus Aid, Relief, and Economic Security (CARES), and Consolidated Appropriations Acts.

10-Year Rule

The publication confirms that designated beneficiaries who are not eligible designated beneficiaries are generally subject to a 10-year payout period. It indicates not to use any of the distribution tables if either the 5-year rule or the 10-year rule apply. The publication also cautions beneficiaries that if the 10-year rule applies, the amount remaining in the IRA, if any, after December 31 of the year containing the 10th anniversary of the owner’s death is subject to the 50 percent excise tax—further validating that the applicability of the 10-year rule is similar to the 5-year rule and no annual minimum distributions would be required, so long as the account was depleted by December 31 of the final year. However, an example within the publication (that was used in previous versions) illustrates a life expectancy calculation for a designated beneficiary where presumably one would not be required, raising questions as to its applicability or whether it was an oversight when the publication was updated.

Additionally, the publication implies that the 10-year rule is not an option for an eligible designated beneficiary if the IRA owner died on or after her required beginning date. Again, this raises questions as to whether this was also an oversight or the IRS is suggesting that the “at least as rapidly” rule would remain for such eligible designated beneficiaries, meaning that life expectancy payments must continue to be disbursed from the IRA once an IRA owner has reached her required beginning date.

Election Deadline for Eligible Designated Beneficiaries

There were outstanding questions on deadlines for making beneficiary elections. The publication states that the deadline for an eligible designated beneficiary making an election is the earlier of

  • December 31 of the year the beneficiary must take his first life expectancy payment or
  • December 31 of the year containing the 10th anniversary year of the owner’s death (or 5th anniversary year of the owner’s death if applicable).

Nonpersons as Beneficiaries

The sections of the publication addressing beneficiaries who are not individuals remain largely unchanged, confirming that pre-SECURE Act rules continue to apply to non-person beneficiaries such as estates, charitable organizations, and nonqualified trusts. Moreover, the sections addressing the “look through” provision for trust beneficiaries also remains unchanged, where there are numerous outstanding questions on how the SECURE Act provisions apply to trust beneficiaries.

CRD Repayments

The publication specifies that a coronavirus-related distribution (CRD) repayment is to be treated as a trustee-to-trustee transfer in that it is not included in income. This suggests that a CRD taken from a Traditional IRA could not be repaid to a Roth IRA, since trustee-to-trustee transfers may only occur between similar account types.

Proposed regulations addressing beneficiary and required minimum distribution rules under the SECURE Act are anticipated soon and should provide additional clarity.


DOL Releases Additional Prohibited Transaction Exemption Guidance

The Department of Labor (DOL) has issued two pieces of guidance on its new fiduciary advice prohibited transaction exemption, PTE 2020-02. The first piece is titled, “Choosing the Right Person to Give You Investment Advice: Information for Investors in Retirement Plans and Individual Retirement Accounts,” which is intended to educate retirement savers about considerations when choosing a potential advisor. The second piece of guidance, which is briefly highlighted further below, is titled, “New Fiduciary Advice Exemption: PTE 2020-02 Improving Investment Advice for Workers & Retirees,” and is a detailed set of frequently asked questions (FAQs).

PTE 2020-02 was issued under the Trump administration and replaced a fiduciary investment advice guidance package issued under the Obama administration that was struck down in federal court in 2018. While the exemption became effective February 16, 2021, the DOL had indicated related guidance would be published soon.

The guidance again confirms that a temporary EBSA enforcement policy that has been in place since the Obama era guidance was vacated—Field Assistance Bulletin (FAB) 2018-02—will remain in place until December 20, 2021.

The DOL indicates that it is considering additional actions to improve the exemption and the investment advice fiduciary regulation, but that core components of the exemption, including the impartial conduct standards, are fundamental investor protections which should not be delayed, and that any regulatory actions will be preceded by notice and opportunity for comment.

Several questions in the FAQ focus on rollover recommendations, including when the recommendation is considered to be on a “regular basis” and what considerations and documentation are needed to obtain prohibited transaction relief for such recommendations.

In the section titled, “Compliance with PTE 2020-02”, the DOL reviews requirements of the PTE related to the following.

  • Impartial conduct standards, including standards of best interest, reasonable compensation, and making no misleading statements
  • Disclosures concerning acknowledgement of financial institution and investment professional status as fiduciary, as well as any conflicts of interest
  • Policy and procedures to include addressing potential conflicts of interest related to financial institution “payout grid” or fixed percentage commission compensation schemes
  • Retrospective review including careful review and certifications by senior executives of a written report

DOL Releases Cybersecurity Guidance for Plan Sponsors, Fiduciaries, Service Providers, and Participants

The Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) today released a three-part guidance package on cybersecurity for plan sponsors, plan fiduciaries, service providers, and participants. This guidance comes on the heels of the Government Accountability Office (GAO) report on cybersecurity risks for retirement plans released earlier this year. An EBSA news release accompanies the guidance release.

Tips for Hiring a Service Provider with Strong Cybersecurity Practices is a list of tips and questions for plan sponsors and fiduciaries to ask of their service providers about the providers’ cybersecurity practices. The tips are designed “to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers.” Fiduciaries are encouraged to ask about a service provider’s security standards and practices, how those practices are validated, and how the service provider responded to any past security breaches. Additionally, fiduciaries are advised to ensure that their contract with a service provider covers areas regarding cybersecurity protection for the plan and its participants.

Cybersecurity Program Best Practices is a list of 12 best practices that recordkeepers and other service providers responsible for plan-related IT systems and data should follow. While designed as best practices, in implementation the list appears to establish minimum standards that recordkeepers should follow regarding their IT systems that hold plan and participant data. Among the recommendations, the best practices define how a “prudently designed” cybersecurity program will operate, including reviews of annual risk assessments and third-party audits, and how a recordkeeper maintains access control of information among its employees. Recordkeepers are also advised to maintain business continuity, disaster recovery, and incident response plans.

Online Security Tips is a list of common-sense recommendations for participants and beneficiaries to follow to help reduce the risk of fraud and loss in their retirement accounts. While designed with retirement accounts in mind, this list provides good recommendations for all general online activity that everyone should keep in mind. Individuals are advised to register and routinely monitor their online accounts while using strong and unique passwords with multi-factor authentication. Being mindful of phishing attacks and wary of free wi-fi are also important to reduce a criminal’s access to one’s personal information and accounts.


DOL Issues Additional COBRA Premium Assistance Guidance Under ARPA

In response to the requirements under the American Rescue Plan Act of 2021 (ARPA) to provide model notices and additional guidance in relation to COBRA premium assistance, the Department of Labor has issued model notices and frequently asked questions (FAQs). The FAQs confirm the following.

  • Premium assistance will apply to all group health plans subject to COBRA, except health flexible spending arrangements (including major medical, dental, and vision).
  • Premium assistance will also be available for group health insurance that is required by state mini-COBRA laws.
  • Assistance-eligible individuals will not need to pay administrative fees that they would normally be charged.
  • Assistance-eligible individuals must elect COBRA within 60 days of receiving their notice of premium assistance. This deadline is not extended by the guidance based on the Joint Notice and the EBSA Disaster Relief Notice 2021-01.
  • Individuals who are eligible for COBRA but have not elected coverage can choose to start their coverage as of April 1, 2021, and do not have to elect any coverage retroactively before that date.

IRS Confirms Tax Filing Extension and Announces Postponed IRA, HSA Contribution Deadline

The IRS has issued Notice 2021-21, in which the IRS makes official the previously announced delay of the April 15, 2021 federal income tax filing due date for individuals for the 2020 tax year to May 17, 2021. This delay is a result of the ongoing COVID-19 Emergency Declaration issued in March 2020.

The tax return due date for an affected taxpayer is automatically postponed to May 17, 2021. An “affected taxpayer” is defined as any person with a federal income tax return or income tax payment filed on a Form 1040, U.S. Individual Income Tax Return, series with an original due date of April 15, 2021. No form, including IRS Form 4868, Application for Automatic Extension of Time To File U.S. Individual Income Tax Return, is required to obtain this relief, and it applies to all schedules, returns, and other forms that are attachments to the Form 1040 series or required to be filed by the Form 1040 series due date.

In conjunction with the Form 1040 series delay, Notice 2021-21 also automatically postpones to May 17, 2021,

  • the time for affected taxpayers to make 2020 contributions to their Traditional IRAs and Roth IRAs, health savings accounts (HSAs), Archer medical savings accounts (Archer MSAs), and Coverdell education savings accounts (Coverdell ESAs), and
  • the time for reporting and payment of the 10 percent additional tax on amounts includible in gross income from 2020 IRA or employer-based retirement plan distributions.

The due date for filing and furnishing forms in the Form 5498, IRA Contribution Information, series is postponed to June 30, 2021.

This relief provided for filing federal income tax returns and paying federal income taxes does not apply to businesses or any other type of taxpayer who files federal income tax returns on forms other than the Form 1040 series. Notice 2021-21 further states that “no extension is provided in this notice for the payment or deposit of any other type of federal tax, including federal estimated income tax payments, or for the filing of any federal return other than the Form 1040 series and the Form 5498 series for the 2020 taxable year.”

While this guidance only applies to the filing of federal tax returns, many states have issued similar delays. Individuals are advised to review their state and local regulations to ensure compliance with all 2020 filing deadlines.


Adeyemo Confirmed as Deputy Secretary of the Treasury

Wally Adeyemo has been confirmed as Deputy Secretary of the Treasury after the Senate approved him in a bipartisan voice vote. The Senate Finance Committee unanimously approved his nomination in March before the Senate floor vote.

The deputy secretary plays a primary role in the formulation and execution of Treasury policies and programs in all aspects of the department’s activities. Adeyemo has previously served as deputy director of the White House National Economic Council and deputy national security adviser during the Obama administration. He also served in several senior management positions at the Department of Treasury—including senior advisor and chief of staff. Before this appointment, Adeyemo was a senior advisor at Black Rock.


IRS Provides Guidance on Personal Protective Equipment as Medical Expense

The IRS has issued Announcement 2021-7, indicating that amounts paid for personal protective equipment (PPE)—such as masks, hand sanitizer, and sanitizing wipes—that are primarily used to prevent the spread of COVID-19, are treated as amounts paid for medical care under Internal Revenue Code Section 213(d). As a result, the amounts are also eligible to be paid or reimbursed under health flexible spending arrangements (FSAs), health reimbursement arrangements (HRAs), and health savings accounts (HSAs).

Group health plans—including health FSAs and HRAs—may be amended pursuant to this announcement to provide for reimbursement of COVID-19 PPE expenses incurred for any period beginning on or after January 1, 2020. Employers choosing to amend their plans must do so by the last day of the first calendar year beginning after the end of the plan year in which the amendment is effective. Retroactive amendments are not permitted after December 31, 2022.


Congress Votes to Extend Paycheck Protection Program

A proposal to extend the Paycheck Protection Program (PPP) through the end of May has passed the Senate by a vote of 92-7. The PPP was set to expire on March 31, 2021, just weeks after changes were made to expand availability to certain small businesses. The House had voted earlier this month to pass the bill, and it now heads to the President for signature.

PPP loans were initially created by the Coronavirus Aid, Relief, and Economic Security Act. The loans are meant to assist small employers in retaining employees on their payrolls in a time of financial stress during the coronavirus pandemic. If certain conditions are met, PPP loans can be forgiven and treated as a grant. Among the conditions for full forgiveness is a requirement that 60 percent of loan proceeds be used for payroll expenses. These expenses can include wages and salaries, as well as employer contributions to defined contribution and defined benefit retirement plans. Expenses for providing group healthcare coverage—including payment of insurance premiums—can also be included.


Marty Walsh Confirmed as Secretary of Labor

Former Boston Mayor Marty Walsh was confirmed on Monday as Secretary of the Department of Labor (DOL). In a 68-29 vote, the Senate confirmed Walsh to take over the DOL as the coronavirus pandemic has left millions unemployed amid economic uncertainty.

Walsh, a former labor union leader, resigned as Boston mayor Monday. He will be responsible for overseeing the DOL and fulfilling the Biden administration’s agenda. While initially expected to focus on workplace safety concerns arising from the pandemic, Walsh will have a role in deciding how the DOL proceeds with the Financial Factors in Selecting Plan Investments and Fiduciary Duties Regarding Proxy Voting and Shareholder Rights rules. The DOL recently announced that those rules will not be enforced until further guidance is published.