Compliance October 1, 2023

DOL’s Khawar Says ‘Partnership’ Needed to Combat Cyber Risks

The principal deputy assistant secretary for EBSA discusses how plan fiduciaries have been using DOL best practice guidance, and why health care may be next.

Reported by

Alex Ortolani

Art by Karlotta Freier

The U.S. Department of Labor issued cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants back in April 2021. It was the first time the DOL’s Employee Benefits Security Administration had issued a notice on cybersecurity, and it has since become an industry standard.

The five-page best practices document is a relatively straightforward and practical guide for protecting American’s more than $9 trillion in retirement assets. But as a recent breach of plan-related data that exposed participant information showed, the guidance remains crucial in a fast-evolving criminal industry targeting personal information.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters. 

The guidance was not designed to target any single group within the large ecosystem of employer retirement plan services, but to remind everyone involved that they have a role to play, says Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration.

“We know of situations where everyone is looking at each other and saying, ‘Well, why didn’t they do more?’ And everyone’s kind of pointing the figure at each other,” he says. “I think everybody knows how those situations go: They happen. That was what we wanted to avoid.”

Khawar recently spoke with PLANADVISER about developments and EBSA focus areas for cybersecurity. The interview was edited for length.

PLANADVISER: EBSA’s cybersecurity guidance has now been in use for more than two years. How has the response been, and what has developed from it?

KHAWAR: A big part of the impetus [in issuing the guidance] was just making sure that everyone understands that when it comes to these issues, that it’s not solely the private sector’s responsibility, but everyone has an important role to play.

We recognize that, depending on the plan sponsor, not all of them are going to have familiarity with cybersecurity issues. There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case. But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution they’re working with is doing what they need to be doing.

Even though it’s fair to say that not every stakeholder has a ticker-tape parade when we issue guidance, I think it’s fair to say that it has generally been well received. … It’s kind of helpful to have the government there; but it’s something that I view as a bit more of a partnership than a lot of other issues that we work on.

PLANADVISER: Can you tell me how this has played out on the ground? Has there been more cybersecurity auditing by the DOL or other regulators?

KHAWAR: On a routine basis, when we’re looking at retirement plans, folks should expect that we’re going to be asking some questions about cybersecurity. That doesn’t make every investigation a detailed cybersecurity investigation. But we might ask someone to describe the process by which they hire a service provider or how they’re monitoring their service provider. … That doesn’t necessarily mean we’re pointing to the best practices and asking, ‘Have you done A, B, C and D?’ Because we issued them as best practices, if that’s what you’re doing and you’ve done the kinds of things that are highlighted in there, you’re probably thinking about things the right way, and from our standpoint, have probably satisfied your obligations.

Though it’s very important to stress that: In the same way that you can have a prudent investment process and still lose money on the [investment] you select at the end, you can have a robust cybersecurity process and still have a breach. This isn’t about having something that is impenetrable. Obviously, if someone has that, perfect. But we are at the stage right now where we are making sure that there’s no sloppy mistakes, right? If there’s a known vulnerability, it’s making sure [a plan sponsor is] not waiting weeks or months or years to address the issue.

PLANADVISER: Advisers will often ask how it’s possible for mid- or smaller-tier plan sponsors to manage best practices around cybersecurity—or a number of other retirement compliance areas, for that matter. What would you say to those fiduciaries or firms that are smaller and juggling many items at once?

KHAWAR: One point of our elevating and highlighting these things is to make sure that [small plan sponsors] are paying attention to it. The part we’re focused on is the employee benefit plan. But it’s also true that it redounds to the benefit of their business as well, because their business may also be subject to a ransomware attack, in particular. The fact that they are paying more attention to cybersecurity is not exclusively a good thing from an ERISA perspective.

Part of what we have done is to make it easy for them. That is, when you think of the kind of thing we’re talking about in our tips and our best practices, the goal is not, ‘Do you know what SOCKS is?’ There’s not a quiz. … It comes back to the same context that you have for a lot of fiduciary interactions: It’s a question of, ‘Are you the educated kind of student consumer?’, so to speak. In the same way that if you were using any other service for your business, you would ask questions.

One thing that I’ve heard, including from the small business universe, is that they have literally printed out those best practices and said, ‘OK, we’re in the process of hiring a service provider, please fill this out. And then just give me a written answer.’ It’s a pretty simple way that people can do it, and they don’t have to have a high level of expertise.

PLANADVISER: There was a major breach that hit the retirement plan space recently, and there will likely be more in the future. What do those larger cases do, generally, for your focus and view of cybersecurity needs?

KHAWAR: We were just talking about small employers. But this is not limited to the small employer universe. There are large institutions that I think have benefited from paying more attention to their cybersecurity practices. … One of the questions I think you can always ask yourself when it happens is, ‘What parts of it were preventable?’ and thinking about it—and this is especially true for the service providers—both on a prospective and retrospective basis.

It’s important to approach some of these issues with an open-mindedness. The priority really shouldn’t be, ‘How can we make sure to tell everyone that our process is perfect?’ But if you’re holding ERISA money, the primary job you have is to keep that money safe. If your focus is on justifying after the fact something that maybe was a mistake, instead of fixing the mistake, that’s not where we want people to be.

The criminal element is always evolving. That phenomenon is kind of on steroids when it comes to cybersecurity. The thing that someone did 10 years ago is not the cutting-edge thing of tomorrow. … You really need to have a mindset that [criminal activity] is open to evolution, and taking that critical eye to it is one of the important things.

PLANADVISER: Do you plan to issue more guidance in the future?

KHAWAR: When we issued our best practices in April of ‘21, it was framed very much in the retirement plan context. At the time, we wanted to make sure that we had thought through whether there were distinctions between retirement plans and other plans—health plans—but also other welfare plans that are covered by ERISA. We didn’t think anything in the guidance conflicted with what our obligations would be. But the question was, given when you’re talking about health data, for example, there’s other federal privacy requirements. … To what extent do those add on extra things that we might want to highlight?

We asked our ERISA Advisory Council to look at that question. Their conclusion was that while there may be additional requirements that are imposed on fiduciaries of health plans, that … the [cybersecurity] best practices are just as applicable.

One of the things that more recently I’ve started hearing is that because even though we have subsequently said, ‘If you’re complying with it in the context of a retirement plan or a health plan or any other plan, you’re in good shape.’ Right? These are principles that you should be taking seriously. But when some sponsors have asked their service providers kind of the same questions in the context of a health plan and pointed to the Department of Labor [issuance], the answer that they’ve been given is, ‘Well, that’s just about retirement plans.’

That’s something that we’re looking at how we can best address. I think there will be something coming out at some point on that to, again, give something that people can look at in writing and point to.

You Might Also Like:

Products

March 10th, 2025

TIAA Expands Annuity Availability to Its IRAs

New enrollees in a TIAA IRA can now select among TIAA's annuities, including the TIAA Traditional and CREF variable annuities.

Client Service

January 27th, 2025

Holistic Planning is Key to Navigating Retirement Income Challenges

An Ameriprise Financial executive discusses how to navigate the shift from saving for retirement to managing distributions.

Data & Research

January 9th, 2025

Micro-401(k) Plan Market Ripe for Non-Specialist Adviser Growth

The market for 401(k) plans with less than $5 million in assets is poised to hit 1 million plans by...

Practice Management September 1, 2023

As Health Costs Dominate Budgets, HSAs Continue to Emerge as Retirement Saving Vehicles

Expert says the marketplace has approximately 36 million HSAs, housing more than $100 billion in assets.

Reported by

Natalie Lin

Art by Marc Rosenthal

The number of health savings accounts has seen significant growth in the last few years as Americans grapple with the increasing challenges of controlling health care costs.

“Health care cost is trapping almost 20% of GDP over the last several years,” says Tom McCarthy, the head of the health care digital experience team within Fidelity Investments’ health division. “Twenty cents of every single dollar in this country are going toward a medical or health care expense to a facility or to research. It’s a huge problem, both for the employer as well as the employee.”

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters. 

One way to prepare for these health care cost needs while not eroding tax-deferred retirement savings? The HSA, nearing its 20-year anniversary after being signed into law at the end of 2003. Last year, HSAs exceeded $100 billion in total assets for the first time, and in early 2023, accounts experienced significant asset growth, according to research from HSA consultant Devenir Group LLC. At the end of January, total assets reached $112.5 billion, up 8% since year-end 2022.

A Savings Program Good for Your Health

Fidelity, which offers HSAs, has 2.8 million accounts, with more than $17 billion in assets. Growth comes in part from a sales message focused on the portable retirement benefit the savings vehicle can provide, according to McCarthy. The firm sells the accounts via 1,600 employer clients, but it also offers HSAs directly to the public through its retail division, as well as through the Fidelity Institutional division using financial intermediaries.

“[HSAs] are used very much in conjunction with retirement savings,” says McCarthy. “We see a significant amount of demand from our employer clients of all shapes and sizes, from the largest logos in the country to small employers, obviously offering mostly 401(k)s. There are other different types of retirement solutions alongside a 401(k). If that employer is offering a consumer-directed health care plan, they very often offer an HSA account, with that to be used as both a savings and a spending vehicle.”

McCarthy says it is important to stress to employers and participants that, unlike flexible spending accounts, or other accounts in which you “use it or lose it,” HSAs are individually owned accounts that the participant or employee puts money into, pretax, from their paycheck.

“They elect to either keep that in cash invested for the long term or use it for current or future medical expenses. It is their account, they own it,” he says. “If they were to leave that company, they take that HSA with them. They could use it now or they can use it as a retirement vehicle in the future.”

Advancements in HSAs

Greg Puig, a partner in and head of group insurance at the Sentinel Group, has noticed many new HSA advancements in recent years, with a focus on improving the investment options—and outcomes—available if a participant keeps their money in the account.

Specifically, Puig has seen vendors make investment recommendations within their HSA vehicles, a useful addition, as few individuals are prepared to select which ones would be right for them.

“401(k) plans, which have a lot of target-date funds, have a ‘set it and forget it’ type of mentality. What we’ve found with a lot of the HSA vendors is that they didn’t have that,” says Puig. “They have an array of mutual funds for people to choose from, with various risk factors associated with them, high growth funds, low growth funds, etc. Now HSA vendors make it easier for people to make the right investment vehicle selections for them.”

Another advancement is making web-based and mobile-based platforms easier to use from an investable assets’ standpoint, says Puig.

“They’ve made it a lot easier for somebody to just click a checkbox and say, ‘Yes, I want to start investing any dollar over what the whatever the required cash asset size is,’ which is really nice,” he says. “Whereas before, the process was more cumbersome and a little bit more manual than that.”

He has also seen several vendors leverage internal investment teams to make a recommended fund write-up, better ensuring participants are getting the best guidance for their HSA investments.

“By having a recommended fund lineup, not a mandatory ‘We’re-going-to-put-your-money-into-this’ account, I think it bypasses some of that fiduciary liability that people are worried about,” says Puig.

Growth Accounts

When it comes to the investing within HSAs, Megan Pacholok, a senior research analyst for Morningstar Research Services LLC, says it will largely depend on the provider of the account.

HSA providers will typically include a couple of equity funds and some core bond funds. They can include a target with risk theories, so it has a conservative, moderate and growth portfolio. In other instances, they’ll also include a TDF, she notes.

Overall, the plans do not work exactly like a retirement account due to various limits and restrictions, according to Pacholok.

“HSAs have a restriction on how much you can contribute to it each year,” she says. “Some of them have a brokerage account in which you can choose your own investments outside of that menu, but [in] others, you really are restricted to only that.”

Another restriction would be an investment threshold, so an individual would have to keep funding their spending account prior to investing their fund, says Pacholok. A lot of HSAs do have the requirement to keep at least like $500 to $1,000 in the account.

Despite these restrictions, as HSAs have advanced, they are showing more and more options that look like a retirement savings plan.

As for growing savings, the possibilities are “infinite,” says Puig. “[Money] goes in tax-deferred, grows tax and as long as it comes out for eligible medical expenses, all of the assets are never taxed. A triple tax advantage; there’s not many things that can do all three of those.”