Hamsters , Cyber Security and Retirement Plans

I typically mute the remote during commercials but a recent ad caught my attention. In "Who's sharing your cloud?" the Ogilvy Group adds glam (actor Dominic Cooper), cute (tiny hamster) and a morality tale (video unexpectedly goes viral) to showcase the downside of not having a dedicated cloud server for a business. This short promotion is a great illustration of risk management at its core.

  • Something seemingly benign creates a costly problem.
  • By not being pro-active, an organization incurs a loss.
  • The cause could have been evaluated and addressed ahead of an adverse effect.

While this television spot and similar messages about technology risk are typically geared to the business community at large, retirement plan sponsors should take heed. Sensitive data about participants, in the wrong hands, can be disastrous. According to "Top 10 Cybersecurity Trends for Financial Services in 2015" (Think Advisor, November 25, 2014), concerns about the integrity of third party infrastructure are paramount. The new year is expected to yield "active cyber risk mitigation and monitoring" as a replacement of the "current self-certification process. (The latter technique is thought to be less reliable.) Concentrating on the protection of "high-risk and high-value" data collections is likewise expected to occur instead of a broad and generalized approach.

In a twist of innovation, insurance companies are "racing to actuarially quantify new cyber risks" and offer policies to insure explicit dollar damages as well as indirect losses due to diminished "brand, reputation and goodwill." Click to read "Insurance for Cyber-Related Critical Infrastructure Loss: Key Issues" (Insurance Industry Working Session Readout Report, Department of Homeland Security, July 2014).

In its editorial about the "Challenges of cybersecurity" (August 18, 2014), Pensions & Investments laid out a list of enterprise risk management priorities that should consume those in charge of pensions, endowments, foundations, mutual funds, custodian banks and alternative investment pools. These include, but are not limited to:

  • Preventing access to proprietary data by unauthorized persons;
  • Avoiding the likelihood of leaks by institutional service providers that could "compromise confidential investment details" or make hacking easier;
  • Establishing parameters to block front-running; and
  • Attempting to seal off access to data about beneficiaries and other confidential information from intruders.

A critical task for a plan sponsor is to gather sufficient knowledge about how a candidate asset manager or other type of vendor secures its operations from unwanted hackers. Asking questions as part of an RFP makes sense although responses could be too technical for a member(s) of a plan committee to meaningful interpret. As a result, a plan sponsor could end up having to hire another vendor - an organization to make sense of the replies about cyber security from the first vendor. Moreover, the issuance of an RFP may not occur frequently enough to adequately monitor a retirement plan's exposure to cyber security risks. Kent Costello shares his views in "Automating the Institutional Investing RFP" (June 26, 2014, Information Week: WallStreet & Technology).

Lack of transparency is another issue. In "What investors need to know about cybersecurity: How to evaluate investment risks" (June 2014), authors with PriceWaterhouseCoopers or the IRRCi bemoan the "hidden" sources of cybersecurity threats. They add that prevailing disclosure standards "are not designed to adequately differentiate between companies' relative readiness, nor are they effective at helping predict which companies are likely to suffer negative impacts due to a security shortcoming."

None of these warnings are comforting, especially when one considers the layers of vulnerability. A plan sponsor, at the corporate or government employer level, has a chance of having non-retirement plan data stolen by a cyber thief. At the retirement plan level, a sponsor could see its participant data compromised. As a customer, there is a chance for a technology snafu with one or more of its service providers to trickle down to the plan sponsor. As an investor, regardless of plan design, there is the risk of being exposed to cyber meltdowns experienced by a company or asset manager. A defined benefit plan with an investment in Target or Sony for example could pay for security breaches in the form of lower stock prices. A 401(k) plan sponsor that selected a mutual fund that owns shares in a cyber victim company may have to change its investment line-up.

On November 9, 2011, the ERISA Advisory Council presented its report on "Privacy and Security Issues Affecting Employee Benefit Plans." A handy "Chart of Practices Useful to Certain Plan Administrators to Minimize Security Breaches" is included. As part of its focus on cybersecurity, the U.S. Securities and Exchange Commission ("SEC") released a sampling of questions it plans to ask during regulatory examinations. Refer to the agenda of "OCIE Cybersecurity Initiative," National Exam Program Risk Alert, April 15, 2014.

Happy New Year fiduciaries. More work is on its way.

ERISA Pension Law Turns 40

Get out the party hats and horns. The Employee Retirement Income Security Act ("ERISA") turns 40 years old today. Signing this legislation into law on September 2, 1974, U.S. President Gerald R. Ford proclaimed a new era, noting that "the men and women of our labor force will have much more clearly defined rights to pension funds and greater assurances that retirement dollars will be there when they are needed. Employees will also be given greater tax incentives to provide for their own retirement if a company plan is unavailable."

Since 1974, change has not been a stranger. In her testimony before the ERISA Advisory Council on June 18, 2014, Honeywell in-house counsel Allison Klausner talked about greater mobility of the work force and a significant reliance on technology over time. The use of third parties was another area of emphasis. She added that "As ERISA turns 40, to effectively deliver 'benefits' (perhaps best stated as 'the delivery of support for the well-being of our workers and retirees') in an employer-sponsored system, plan sponsors find that it cannot be done without outsourcing some (or all) of the administrative and other work associated with and necessary to operate employee benefit plans."

Statistics about plan design paint a dramatic picture of change as well. According to the Private Pension Plan Bulletin Historical Tables and Graphs (U.S. Department of Labor, June 2013), the number of single-employer sponsored defined benefit plans fell from 101, 214 in 1975 to 43,813 in 2011. In contrast, the number of single-employer defined contribution plans rose from 207,437 in 1975 to 637,086 in 2011. As plan design preferences reflect demographic and economic shifts, they also present new challenges for fiduciaries.

For those who want to learn more about the history of ERISA and predictions of things to come, the American Bar Association and various co-sponsors are offering a free webinar on the topic. Click to register for "ERISA Turns 40: The Past, Current and Future State of Pension Plans," The event will be held on September 9, 2014 from 1:00 to 2:30 PM EST and will feature speakers from the U.S. Department of Labor and ERISA attorneys in private practice.

ERISA Advisory Council Investigating Fiduciary Management

According to a 2014 statement, the ERISA Advisory Council intends to investigate the nature of retirement plan outsourcing and report its research to the U.S. Department of Labor ("DOL"). "Outsourcing Employee Benefit Plan Services" cites objectives to include the following:

  • Discussion about current practices in outsourcing and whether variables such as plan size or type impact the services provided to ERISA plans;
  • Clarification of "the legal framework under ERISA for retaining outsourced service providers..." and possible areas for regulatory guidance;
  • Getting suggestions about the management of potential conflicts of interest;
  • Further discussing the "scope of co-fiduciary liability in the outsourcing context" for 3(16), 3(21) and 3(38) relationships;
  • Discussion about how contracts are put together between an ERISA plan and a service provider to address issues such as termination rights, indemnification, liability caps; and
  • Examination of insurance coverage and ERISA bonds when an outsourcing arrangement exists.

This news is not particularly surprising. The topic of fiduciary management continues to attract attention, in part because it appears to be growing as a business model in the United States, United Kingdom and elsewhere. According to a survey of 73 pension plans and their advisors, Buck Consultants found that 70% "had at least considered going down that route." For those schemes that that had engaged a fiduciary manager, they cited motivations such as "improved speed in the decision making process, greater focus on the end game, and improved expertise." At the same time, UK-based Brian McCauley, Head of Fiduciary Evaluation at Buck Consultants, added that the governance burden is still "huge." In "Perceptions of Fiduciary Management," Stephenson Harwood attorney Fraser Sparks addresses concern about conceivable conflict of interest trouble spots when "an advisor turns into a provider." One offered solution is to engage an independent third party to evaluate the qualitative and quantitative characteristics of fiduciary manager short list candidates.

Stateside, ERISA legal experts debate the pros and cons of the outsourced fiduciary approach. In "New flavor of outsourced fiduciary for retirement plans hits the market" Investment News reporter Darla Mercado writes that "This latest service offering is popping up in an era when plan sponsors have a heightened awareness of their fiduciary responsibilities and are looking to offload some of them so that they can get back to the day-to-day work of running their business." Drinker Biddle & Reath attorney, C. Frederick Reish, talks about "3(16) lite" and the need to "[r]ead the fine print." The April 2, 2014 piece emphasizes that "...plan sponsors still have the responsibility of choosing and monitoring their service providers."

In "Expert Q&A on Outsourcing Fiduciary Investment Responsibilities" (Practical Law, February 2014), Groom Law attorneys David N. Levine and Allison Tumilty explain the legal dimensions of outsourcing fiduciary investment responsibilities and the advantages and disadvantages of passing the baton for certain delegated tasks. They add that outsourcing "can be appropriate for defined benefit and defined contribution plans of all sizes."

From my perch as a forensic economist who is sometimes hired to give expert testimony, I have observed a larger number of cases being filed that address the relationship between plan sponsor and service provider. Whether that trend continues remains to be seen. Given the foregoing, the ERISA Advisory Council inquiry is likely to be both timely and informative.

New PCAOB Report Finds Pension Valuation Numbers Wanting

According to a new report just published by the Public Company Accounting Oversight Board ("PCAOB"), valuation of pension plan assets was one of the audit areas with "deficiencies attributable to failures to identify and test controls." Given the importance of having proper pension valuations carried out by knowledgeable and experienced persons, it is no surprise that this oversight organization devoted an entire section of its findings to the topic of valuation of pension plans assets. The problems they found include the following:

  • Insufficient testing of controls over how pension plan assets are valued;
  • Testing of controls that were imprecise and therefore did not allow for an assessment of the risk of material misstatement by plan auditors;
  • Failure to properly test the valuation of pension plan assets; and/or
  • Relying on management or the person(s) who performed the reviews without seeking an independent assessment as to why "variances from other evidential matter" were occurring.

In response to these findings, a prominent ERISA attorney commented that the cited deficiencies were not surprising and that valuation problems will continue to grow for those retirement plans that are allocating more money to "hard to value" funds.

In his 2011 speech before the AICPA National Conference, Jason K. Plourde with the Office of the Chief Accountant, U.S. Securities and Exchange Commission ("SEC"), talked at length about the role of pricing services and how securities that are not actively traded should be valued. He suggested that management "may need to perform different procedures and controls when considering the information from pricing services regarding the fair value of financial instruments..."

Concerns about how best to value pension plan assets and regularly test methodologies and controls related to said valuations took center stage in 2008 when the ERISA Advisory Council working group on "Hard to Value Assets" met to discuss how best to improve things. This blogger - Dr. Susan Mangiero - testified on the topic of "hard to value assets," emphasizing that poor valuations lead to a cascade of problems. For one thing, inflated valuations translate into higher fees paid by ERISA pension plans. Second, incorrect valuations make it difficult to properly review and revise any of the items listed below, each of which are critical to proper fund management such as:

  • Asset allocation;
  • Exposure to a particular sector or fund manager;
  • Fee benchmarking for appropriateness of compensation paid to a manager;
  • Type and size of hedges;
  • Hiring and termination of an asset manager(s);
  • Regulatory funding ratio and related cash financing; and
  • Cost of pension plan de-risking for some or all of current defined benefit plan participants.

If you missed reading Dr. Susan Mangiero's September 11, 2008 testimony before the ERISA Advisory Council Working Group, click to read about "hard to value" assets in the context of ERISA fiduciary duties and pension risk management.

With more pension plans reporting large scale deficits, don't be shocked if further questions are asked about the integrity of asset and liability valuation numbers.

Hedge Funds, Private Equity Funds and ERISA Pension Plans

Alternative fund managers and regulators will convene in Washington, D.C. from July 19 through 21, 2011 to talk about pension investing in hedge funds and private equity funds. Over several days, those who present before the ERISA Advisory Council will be asked to address questions such as those listed below:

  • What differentiates a hedge fund from other types of investments?
  • What differentiates a private equity fund from other types of investments?
  • How are hedge funds and private equity funds, respectively, correlated with the returns of traditional equity and fixed income investments?
  • How can defined benefit and defined contribution plan sponsors mitigate "the lack of liquidity that is characteristic of these investments?"
  • How can fee transparency be enhanced?
  • "Are there any unique diversification benefits offered by hedge funds and private equity investments as opposed to a fund of funds?"
  • What is the view of target date fund managers with respect to including hedge funds and/or private equity strategies within their funds?

According to U.S. Department of Labor documents, the aim is to create best practices guidance in areas such as leverage, liquidity, transparency. valuation, operational due diligence, client and asset concentration and offering documents. Click to download "2011 ERISA Advisory Council: Hedge Funds and Private Equity Investments." Click to read the June 22, 2011 U.S. Department of Labor news release about the forthcoming meetings to address hedge funds and private equity investments by ERISA plans.

Interested readers may want to check out the following of many items that are available for further research: