In this article, I share edited excerpts from my recent interview with Jay Gepfert, Managing Partner of DOL Cybersecurity, LLC, where we discussed ways retirement and benefit plan sponsors can meet the standards set out by the Department of Labor's Cybersecurity Guidance, issued in April 2021.
Listen to the entire podcast episode here
The Department of Labor's sub-regulatory guidance came in the form of three publications.
One is titled Online Security Tips, which is mainly intended to advise individuals on protecting their personal information and accounts online.
A second, called Tips for Hiring a Service Provider, helps plan sponsors by outlining what to look for and questions to ask prospective providers about their systems controls and cybersecurity practices.
And a third, titled Cybersecurity Program Best Practices, is the most detailed of the three and enumerates 12 best practices with several sub-points for each.
In this article, whenever we refer to the DOL's guidance or guidelines, we mainly refer to the best practices publication, which contains specific suggestions for plan sponsors and fiduciaries.
What are plan sponsors supposed to do?
While these publications don't set forth specific actions that fiduciaries are required to take, it's clear the Department of Labor's intention is for this guidance to form a standard for how proper benefit plan-related cybersecurity measures should be established and maintained.
Join us for a discussion about cybersecurity
Matt: Jay, thank you for being a guest on The Retirement Space Podcast. Before we get into cybersecurity, I'd like to hear how you got to this place in your career of providing cybersecurity assessments for plan sponsors.
Jay: It's an interesting journey how I got here. I've sat on all sides of the fiduciary table, working for a record keeper, an investment manager, and then before I started my own business, as a consultant.
A little bit of this gray hair shows that I've lived through the 2010 and the 2013 DOL guidance on reasonableness of plan fees and target date funds. Both were transformative in the industry. Fees have dropped in every corner of the industry. DC plan assets have moved primarily to index target date funds. There's been a consolidation of advisers and record keepers. And those changes continue to speed through the market.
This latest DOL guidance on cybersecurity will be the next chapter for advisors, sponsors, and service providers associated with retirement and benefit plans.
I have a sister business, Culpepper RFP, which helps plan sponsors evaluate and select service providers in the retirement, benefit, and endowment and foundation space. At Culpepper, we're very busy helping plan sponsors monitor fees and services.
DOL Cybersecurity, LLC is a spin-off of that business. We started this business about six months ago because we believe plan sponsors will need help navigating the new DOL cybersecurity guidelines that came out in 2021.
Matt: Even though the guidance has been out for a couple of years, we're still in the early stages of seeing how plans react and comply. But given that you've put together a service specifically focused on cybersecurity, I take it that you saw this latest guidance as particularly significant.
Jay: Having seen the power the DOL has when they come out with “guidelines” and what it did the first two times in terms of fees and target date funds, I clearly saw that this would be another transformative moment for the industry.
Just now, plan sponsors and ERISA counsel are beginning to react and trying to decide how they should respond. And again, I think our industry will be transformed when this is in full effect.
Matt: To understand the scope of coverage, tell us what types of plans this guidance covers.
Jay: Two broad categories: retirement plans and other employee benefit plans. On the retirement side, that means 401(k), 403(b), and pension plans. And then health and welfare plans are also within the scope of the guidance.
When the guidelines came out, some thought it only applied to retirement plans. But now, ERISA counsel has come out and told many of their clients that this also applies to other benefit plans.
Matt: When the guidance came out, some thought the compliance burden might fall mainly on the service providers. But the ultimate responsibility for complying with this guidance falls on the plan sponsor. Is that correct?
Jay: Yes. The DOL has come out and said the plan sponsor needs to evaluate whether their service providers have proper cybersecurity processes in place. The responsibility for doing a check on those processes and controls belongs to the plan sponsor.
And that's no different than when reasonableness of fees came out or when guidance about target date funds came out. The buck stops with the fiduciary, and that's the plan sponsor.
Matt: From the DOL’s standpoint, what are the consequences of a security breach or lack of compliance with the guidance? Do we know the consequences, or is it still too early to say?
Jay: Historically, there have been two types of responses to DOL guidance, such as this. First, when the guidelines come out, they recommend plan sponsors have this assessment done so that you're ready to answer the DOL’s questions during an audit.
But the other situation we saw with both target date funds and reasonableness of fees is when outside litigation merges with Department of Labor guidelines. That's when it's transformative in the industry.
We have just started to see the first couple of bits of litigation regarding DOL cybersecurity, so the effect of litigation hasn't arrived quite yet. But, if we look back in history and predict what the future is going to be, it will be coming, and it will be coming soon because litigation usually follows where the largest assets are.
Matt: Being that we're still in the early days, it seems like this is still a work in progress. By “this” I mean exactly what constitutes compliance with the guidance.
Jay: I agree, and one thing that will be interesting to see, like with many of these guidelines that have come out, is that the first to react are the largest plan sponsors in terms of assets or participants. They have the most to lose. They're typically the ones that get audited the most.
So that's where most of the initial work is coming from. But understand, if you're a plan sponsor, this DOL guidance applies to you regardless of your size. We may see some refinement in coming years regarding the guidance and plan sponsors' responses. But for now, they've asked for an independent third party to do the assessment, which is why we started our company. And two, that it be done on an annual basis.
Matt: Take us through, at a high level, how you perform a cybersecurity assessment on a plan.
Jay: Let’s go back to what the DOL’s guidance says.
They came out with a document, Cybersecurity Program Best Practices, that has 12 major points in it. And then, underneath those 12 major points are 74 additional sub-points. We take those 12 plus the 74, and line them up on the left-hand side of an evaluation so the plan sponsor can see the requirements that are being asked by the Department of Labor.
And then, when the plan sponsor hires us, we go to the service provider and ask for the information to determine whether they are meeting each standard. We might get this information in the form of SOC reports or other sources, or if we need to conduct personal interviews, we'll do that as well.
With this information, we assess the 12 + 74 as to what that service provider is doing. We do that analysis and say thumbs up or thumbs down for each category.
We then give this information to the sponsor and make sure they understand it's their responsibility to communicate with their service provider if they have gaps in their cybersecurity processes.
Ultimately, the assessment is used by the plan sponsor if they are audited by EBSA (the agency of the DOL responsible for administering, regulating, and enforcing ERISA). It ensures that the plan sponsor is ready to answer their questions.
And that has already started to take place. I've talked with ERISA counsel, whose clients have been audited, and the auditors are already asking questions about cybersecurity issues.
A few months ago, a lawyer told me that for one of their clients, it was an extremely uncomfortable audit because they had done nothing.
Matt: When you do an assessment, what's the experience for the plan sponsor? How involved do they get in the process?
Jay: We try to take as much responsibility off the plan sponsor as possible.
The first thing we do is work with the plan sponsor to identify which service providers need an assessment. Typically, it's just going to be for those who have participant data and information where a potential breach could occur. Sometimes that's very simple, and sometimes that can be very complicated in terms of DC plans, DB plans, and benefit plans.
Once that occurs, the plan sponsor sends an e-mail to their service providers letting them know that DOL Cybersecurity, LLC will be assessing them and that they should respond to our requests for information.
And then we take over. Most major service providers are ready for this. Some are not. And they'll provide us with either pre-organized information such as SOC reports or other information we can use.
Assuming they respond to our inquiry, we take that information and begin our assessment.
We have seen some service providers that just go silent, and don't respond. In our agreement, we say we'll give it three shots to get a response from the service provider, and if not, we'll go back to the plan sponsor and have them connect with their service provider and let them know they need to respond.
Matt: How long does it usually take to do an assessment?
Jay: Right now, let's assume we have a signed agreement; from that date forward, it will typically take about 90 days to prepare an assessment.
The length of time depends on how comprehensive the information is from the service providers and how quickly they respond to our inquiries.
Most of the big gaps in time are when the service providers are not responding or what they've provided to us is incomplete. If we don't get the information we need, we then need to schedule interviews with the appropriate people to fill in any of the gaps. And we record those conversations for documentation purposes.
Matt: What is your response to a plan sponsor who might question whether they can’t just hand over this task to their IT department and let them deal with it. Why do they need hire a specialist like your firm?
Jay: That's a good question, and there's two parts to the answer.
Number one, the DOL specifically suggests in their guidelines that an independent third party complete the assessment. I would say that doing it in-house probably does not meet the independent third-party standard. Whether or not in an audit, would the auditor accept an assessment from the plan sponsor's IT department? I can't say.
Number two, even if that is allowed, this is the merger of two different areas: ERISA and cybersecurity. And what we have found is that plenty of organizations know ERISA and other organizations know cybersecurity, but few if any know both. From a practical standpoint, having an organization that knows both is important.
Also, we've gotten feedback from organizations that say their in-house cyber teams do not have the time and resources to do these assessments. Their internal people have too many other projects on their plate, and this work would fall low on their list of priorities.
Matt: That's a great point. You and I understand the gravity of the DOL, and ERISA, and the rules surrounding benefit plans. I don't imagine too many internal IT organizations have that same appreciation. And that's not a criticism of tech teams. It's just not something they've had exposure to or the same level of exposure to the seriousness of guidance that comes down from a regulatory body like the Department of Labor.
Jay, what key points would you like people to take away from this conversation? Particularly plan sponsors, advisors, and ERISA attorneys?
Jay: First, history has shown us that when the DOL comes out with guidelines, they're serious about it. For those plan sponsors, large and small, who think this will disappear over time, I think they'll likely be sadly mistaken.
In addition, I don't think we'll see the full effect of this guidance until we see more litigation in the marketplace. Litigation will drive behavior, as we've seen with other DOL guidance.
Another point to consider is if you're out looking for an independent organization to do this assessment, that organization should have expertise both in ERISA and cybersecurity. From what we've seen, few organizations have that. And I think that's an area where the rubber meets the road in terms of being able to do these assessments.
The final point I'd make is that, I believe, we're 6 to 12 months away from a cybersecurity expertise capacity shortage. The need for this expertise is growing rapidly, and if we see a wave of demand for DOL cybersecurity assessments, it may be difficult for plan sponsors to find the expertise they need.
Matt: Are you getting many inquiries from plan sponsors or ERISA counsel about doing these assessments?
Jay: Absolutely. In the last three months, we've seen a 300% increase in inquiries about our services and the cost of doing an assessment. Almost all the interest is coming from ERISA counsel. They're talking to their clients. They're suggesting that it be done.
We're also seeing interest from very large plan sponsors. They're reacting to this first. And we're hearing from multiple employer and Taft Hartley plans who are showing interest.
This week alone, I've had three conversations with outside ERISA counsel regarding what could be done, how we can assist them, what's taking place.
And so, it's ramping up, and my observation, having lived through 2010 and 2013 with the other DOL guidelines, is this is right on track with what we saw over the last 10 to 12 years.
Matt: It is going to be interesting to see how this plays out. Certainly, cybersecurity is something that plan sponsors and fiduciaries take seriously. Still, until you read the best practices publication, it's hard to appreciate the scope of the tasks that should be done and how to do them well. Again, this is not a paid promotion, but I see how engaging an outside firm to assist in assessing service providers would be extremely helpful.
Jay: We got into this business because DOL Cybersecurity, LLC combines two pieces of expertise. I have over 20 years of ERISA expertise in consulting, asset management, and record keeping. And my partner, Jeffrey Wu, has 30 years of experience in technology and the cyber world. We combine those two areas of expertise, which in our opinion, is what's required to do these assessments well.
In addition, we've made a strategic decision that we will only do these DOL assessments. We're not going to do general consulting for other cyber projects. We've had organizations come to us already because they can't find a company to do something for them, but we will stay highly focused in this area. And from what we've heard from ERISA counsel and the limited number of plan sponsors that come to us directly, that's pretty darn unique in terms of what's available in the marketplace right now.
Matt: Jay, thank you again for being a guest. After this conversation, I feel this is just the beginning of a discussion about how plan sponsors will be ensuring their plans operate properly from a cybersecurity standpoint.
Jay: I appreciate the opportunity to talk with you. I hope this was helpful for you and your listeners, and I look forward to the potential future conversations.
~*~*~*~*~*~*~
Links and Contact Information
- The DOL’s original press release
- DOL publication Online Security Tips
- DOL publication Tips for Hiring a Service Provider with Strong Cybersecurity Practices
- DOL publication Cybersecurity Program Best Practices
- DOL Cybersecurity, LLC’s website
- You can reach Jay Gepfert via email at info@DOLCybersecurity.com
Disclosures and Disclaimers
- Nothing in this article is intended to be, or is, financial or legal advice,
- Statements and opinions expressed by those interviewed for this article do not necessarily reflect those of the host, Matt Smith, and
- The content in this article is not a paid promotion.
And Finally
- Subscribe to The Retirement Space podcast on Apple Podcasts, Spotify, or wherever you like to listen to podcasts.
- Please consider leaving us a review or rating on Apple Podcasts. Five-star ratings help new listeners find this show.
- You can find all episodes for The Retirement Space Podcast and companion blog posts at theretirementspace.com.
- Follow me on LinkedIn here
- Send your comments, questions, or suggestions for topics or guests to me at matt@theretirementspace.com
