PLANADVISER - March/April 2021 - 7

recovery from the pandemic. Walsh's
subsequent answers to senators' questions
repeatedly highlighted his belief
in the importance of implementing
innovative policies to help underserved
workers, especially minorities,
veterans and LGBTQ individuals.
GAO Presses the DOL to Clarify
Cybersecurity Guidance
The Government Accountability Office
(GAO) has released a report examining
cybersecurity in private-sector
defined contribution (DC) retirement
plans and exploring how federal guidance
can mitigate cybersecurity risks;
in the report, the GAO asks the Department
of Labor (DOL) to review, and
improve, its guidance on cybersecurity
administration. The report starts
by noting that DC plans, their sponsors
and service providers-including
recordkeepers,
third-party
explains that not all entities involved in
DC plans are considered to have direct
engagements with confidential
information,
and because some of the guidance
is voluntary, some parties may
choose to disregard it.
The GAO says the DOL has failed
to clarify fiduciary responsibility for
mitigating cybersecurity risks and to
establish minimum expectations for
protecting PII and plan assets, even as
more participants enroll in employersponsored
retirement plans. According
to the DOL, plans saw an 180% surge
in participation from 1990 to 2018.
The amount of assets held in plans
increased seven-fold during this period.
The report highlights four high-risk
administrators
(TPAs), custodians and payroll
providers-share between each other
personally identifiable information (PII)
and plan asset data; this increases the
risk of cyberhacks. The PII contains
highly confidential plan information,
including participants' names,
Social Security numbers, birth dates,
addresses and usernames/passwords,
while plan asset data contains numbers
for retirement and bank accounts.
The shift to remote work in the
past year in response to COVID-19 has
raised concerns about cyberattacks
and questions about whose responsibility
it is to protect participant and
plan data. Those in the financial advisory
industry have upped their cybersecurity
measures, especially as more
firms have faced lawsuits and are
warning plan sponsor clients about
heightened retirement plan litigation
related to cyberhacks.
Even before COVID-19 hit the workforce,
the 2019 " Official Annual Cybercrime
Report " measured an increase in
the threat of cyberattacks, noting that
these are the fastest growing crime in
the U.S. and estimated the cost at more
than $6 trillion globally by 2021.
While existing federal requirements
attempt to minimize risks in DC plans,
more guidance is needed on cybersecurity
on a federal level, the GAO notes. It
challenges that the federal government
and companies face: establishing
a comprehensive cybersecurity
strategy and performing effective
oversight; securing federal systems
and information; protecting critical
infrastructure; and protecting privacy
and sensitive data.
To meet these challenges, the GAO
identified 10 action steps the DOL and
other agencies should take, such as
enhancing the federal response to cyber
incidents, mitigating global supply
chain risks, and addressing cybersecurity
workforce management challenges.
The GAO also recommended that the
secretary of Labor should formally state
whether cybersecurity is a plan fiduciary
responsibility for private-sector
employer-sponsored
DC
retirement
plans under the Employee Retirement
Income Security Act (ERISA). Additionally,
the GAO suggested that the Labor
secretary develop and issue guidance
that
identifies the minimum expectations
for decreasing cybersecurity
risks. This should outline any specific
requirements that all entities involved
in administering private-sector DC
retirement plans should fulfill.
In written comments, the DOL
responded that increasing cybersecurity
awareness would be helpful, but
it did not indicate whether it agreed
or disagreed with the GAO's recommendation
on plan fiduciary responsibility.
The DOL did note, however, that
plan fiduciaries are responsible to act
prudently and solely in the interest of
plan participants and beneficiaries, as
stated in ERISA Section 404.
The DOL further noted that, in its
view, these duties require plan fiduciaries
to take appropriate precautions to
minimize the chance of attacks on their
plans. It says it is currently drafting
compliance
assistance materials
help raise awareness of cybersecurity.
Long-Running BlackRock ERISA
Suit Reaches Settlement
The parties in a complex Employee
Retirement Income Security Act
(ERISA) lawsuit involving BlackRock's
own 401(k) plan have reached a settlement
agreement after nearly four years
of litigation. The filing of the agreement
comes about two months after the
judge, in the U.S. District Court for the
Northern District of California, issued
a ruling rejecting various motions that
the different parties had filed.
Underlying the lawsuit were allegations
that BlackRock engaged in selfdealing
within its own retirement plan
by using an excessive amount of its own
investment products. The complaint
suggests plan fiduciaries selected and
retained high-cost and poor-performing
investment options with " excessive
layers of hidden fees that are not
included in the fund expense ratios. "
The January ruling came in
response to several motions before
the court,
including the defendants'
motion for summary judgment, the
plaintiffs'
cross-motion
for
partial
summary judgment and a motion to
strike. The parties also filed numerous
administrative motions to file documents
under seal in connection with
their briefs. In sum, the January ruling
denied both motions for summary
judgment and the motion to strike,
while granting the parties' administrative
motions to file under seal.
Spelled out in the settlement agreement
is a 29% cap on the gross settlement
amount available to pay plaintiffs'
attorneys fees. This is somewhat lower
than the commonly used 33%.
SEC Unveils Its Green Webpage
The Securities and Exchange Commission
(SEC) has launched a new page on
its website to bring together agency
planadviser.com March-April 2021 | 7
to
http://www.planadviser.com
PLANADVISER - March/April 2021

Table of Contents for the Digital Edition of PLANADVISER - March/April 2021
