Grappling with SECURE 2.0? Plan sponsors need prep, advice and liability protection

Retirement and benefits plan professionals routinely balance the needs of their organizations with the needs of their employees, many of whom are feeling insecure about saving for retirement. Once we throw in competition for talent, compliance with changing regulations, personal liability, and a perilous economy, anyone can see that dedicated benefits representatives bear enormous moral, professional, and fiduciary responsibilities every day.

Furthermore, Congress passed SECURE 2.0 at the end of 2022 with the primary focus of assisting working Americans with additional 401(k) and 403(b) benefit plan asset accumulation with catching up on retirement plan savings by removing and modifying existing legislative barriers from the initial 2019 SECURE Act legislation. The first half of 2023 hasn’t made plan sponsors’ lives any easier, with SECURE 2.0, new IRS rules on-deck, ballooning ERISA litigation settlements, and relentless cyber criminals. How can plan sponsors and managers alleviate their personal liability pressure points so they can focus on their mission to guide employees’ planning and benefits in a manner beneficial to both the company and the staff/?

Insecurity about SECURE 2.0

Plan sponsors have already been grappling with the ramifications of SECURE 2.0 when in May, Congress announced SECURE 2.0 changes were coming down the pipeline. About 90 retirement plan-related provisions are addressed or implicated in some way in the updated legislation, with a variety of employer activity or inactivity resulting in potential liability issues and organizational exposure involving employer decision makers. Designed to help American workers accumulate sufficient financial resources for retirement, the new law’s 401(k) and 403(b) benefit plan provisions staggered across multiple years placing imposing compliance and reporting pressures upon employers to grasp, implement, and plan accordingly.

Plan administrators who can best comply with SECURE’s standards and rules will be in a better position to attract and retain talented employees, which they say has become an increased focus, jumping 9% points YoY. Unfortunately, plan administrators have more than just SECURE to assimilate into their compliance procedures and fiduciary duties.

Policymakers are moving the (regulatory) goalposts

In February the IRS proposed new rules relating to the use of forfeitures in qualified retirement plans; and in May a House committee approved a bill which adds an option for CITs in 403(b) plans – one of several SECURE 2.0 corrective actions taken by lawmakers. Various external forces originating in Washington, D.C. are poised to keep the goalposts moving for plan sponsors, including the political and judicial tussle over allowing fiduciaries to consider ESG factors in retirement plan design. Then there are the courts litigating an array of cases including the ongoing Hughes vs. Northwestern University, a case brought against Northwestern’s retirement plan committee for not offering the lowest-cost retirement plan or the best available investment funds. This and other cases will set precedents that will either open or close doors to litigations against fiduciaries. Plan sponsors must leverage effective processes and technology to monitor dynamic regulatory frameworks and stay current. But that is not enough.

Aggressive ERISA lawsuits

Hopefully, most plan sponsors and administrators realize they bear personal exposure for third-party claims of not meeting fiduciary obligations. If not, this “personal liability” exposure should be taken very seriously. Entrepreneurial-minded attorneys are flocking to uncover breaches of fiduciaries’ ERISA duty, statutory prohibited transactions, or other statutory violations, hoping to access the trillions of dollars held in private retirement plans. Opportunistic attorneys even go fishing for ERISA violations by casting their litigation netting far and wide. Retirement industry executive Rhonda Berg noted that in the first quarter alone 43 lawsuits had been filed against retirement plans, with 14 settled at a cost of $55.3 million, setting a record pace for $220 million in 2023. Last year was the second most active year on record for ERISA litigation against plan sponsors, with 24 settlements totaling more than $160 million to date. Meanwhile, the Department of Labor’s EBSA recovered enforcements totaling $931 million from 907 civil investigations in 2022.

Fiduciary responsibilities = compliance, ROI, and … cybersecurity prudence?

Cyber criminals are keenly focused on stealing high value plan financial data. On May 12, personal information pertaining to 237,000 US government employee commuting benefits was exposed in a US Department of Transport data breach. The case of Disberry v. Employee Relations Committee of the Colgate-Palmolive Co. et al. has shone a spotlight on what ERISA’s fiduciary “duty of prudence” really means in light of this incident of cybercriminals disappearing a participant’s retirement savings. The EBSA states: “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks” — even though plan fiduciaries are not chief information security officers or IT leaders.

Related: New fiduciary rule’s release date confirmed in DOL’s updated agenda

The DOL has made cybersecurity a regular focus for audits and investigations of 401(k) and similar plans, so plan sponsors should have response plans in place in case of an inquiry. Further, companies are held responsible for their vendors, so CISOs and fiduciaries should ensure that their providers of retirement and health benefits services have airtight cybersecurity postures. Vendors seem highly susceptible to cybercrimes, as recent breaches have afflicted Retirement Clearinghouse LLC, Managed Care of North America, and Alight Solutions, an admin provider for over 750 employee benefits plans.

Going a step beyond vigilance to make a defense plan

For SMBs, a $200K compliance penalty or settlement can be devastating. For individual fiduciaries, it can be catastrophic, with legal defense costs averaging about $600 per hour. As such, Morgan Stanley revealed in its 2022 report that most plan sponsors’ primary concern are their fiduciary responsibilities, followed closely by compliance/regulations.

Most plan sponsors (62%) are smartly paying attention to legislative changes. Once the plan sponsors have ensured they are monitoring regulatory changes, properly managing plan operations, have appropriate fund and proprietary investments offerings, and appropriate plan fees and services, they are sitting pretty. Right? Realistically, even with diligent effort, plan sponsors will make mistakes. To protect their company and themselves in a fraught atmosphere of fluid rules and litigious parties, plan managers must have a sound defense plan to secure their liability perimeter.

Fiduciary liability insurance

Under ERISA, the only mandated insurance is for employee dishonesty (stated in 1975 language as a “fidelity bond”), with ERISA prescribing a formula for calculation of the amount of insurance required.  As evidenced by the numerous vendor breaches, pension professionals and plan sponsors should mitigate the 3^rd party liability, the exposure coming from their decision to utilize third party services. Additionally, breaching fiduciaries are often the ones who have to prove that there is no link between a cybersecurity breach and losses caused to the plan. Fiduciary liability insurance is an indispensable measure to ensure sponsors and their businesses are protected with defense costs and penalty limits.  Without such protection, plan sponsors are on the hook for costs related to legal and computer forensic services, call center services, credit and identity monitoring, and cybersecurity response services following a data breach.

Employee plan professionals need to exercise extraordinary vigilance in today’s economic and regulatory environment to deliver well-run, value-added benefits plans. The DOL states they “must act prudently,” “avoid conflicts of interest,” and “diversify the plan’s investments in order to minimize the risk of large losses.” Robust defense plans should include coordination with cybersecurity colleagues, solid cyber and fiduciary liability insurance, monitoring evolving regulatory frameworks, and updating/automating compliance practices. Only then can they have the peace of mind to run excellent plans for the sole interest of participants and beneficiaries, which in turn benefits themselves and the organization.

Richard Clarke is Chief Insurance Officer at Colonial Surety Company.