The increased use of technology has led to improved administration of retirement benefits through advancements in electronic data storage and online participant portals. But recently, employer plan sponsors have questioned how to properly verify participant information provided on these portals and how to protect their plans' data from cybersecurity breaches.

Most retirement plans offer an online portal where plan participants can access their accounts, change investment selections or adjust deferral percentages. Some plans have now added the functionality of allowing participants to request a hardship distribution online. To qualify for one, participants must meet one of the following "immediate and heavy financial need" criteria under Treas. Reg. § 1.401(k)-1(d)(3)(iii)(B):

  1. Expenses for medical care deductible under Section 213(d)
  2. Costs related to the purchase of a principal residence of an employee
  3. Payment of tuition and room and board expenses of the employee, or the employee's spouse, children or dependents
  4. Payments necessary to prevent eviction of the employee from a principal residence
  5. Payments for burial or funeral expenses for the employee's deceased parent, spouse, children or dependents
  6. Expenses for the repair of damage to the employee's principal residence that would qualify for the casualty deduction under Section 165

Under this situation, plan sponsors have asked whether they have an obligation to verify the existence of an employee's hardship. With no verification, the plan sponsor is at risk of an employee's not being truthful about the stated reason for a hardship distribution, and issuing a distribution impermissibly. This could lead to a violation of either the plan's written terms or the in-service distribution restrictions of Section 401(k)(2)(B), leading to a disqualification of the plan.

In a memo titled "Substantiation Guidelines for Safe-Harbor Distributions from Section 401(k) Plans," dated Feb. 23, 2017, the IRS established the following guidelines for plan sponsors to follow to verify the existence of an employee's hardship:

Step 1:
  1. Determine whether either source documents or a summary of the information contained in source documents has been obtained prior to making a distribution.
  2. If summary information is used, provide the employee with notifications required on Attachment I: Hardship Substantiation Information and Notifications for Summary of Source Documents (attached to the IRS memo) prior to making a distribution.
Step 2:
  1. If source documents are obtained, review the documents to determine whether they support the hardship distribution.
  2. If you obtain a summary of information, determine whether it contains information listed on the attachment.
  3. Request source documents if the summary information is incomplete or inconsistent.
  4. Request source documents if the employee has received more than one hardship distribution in the year.
  5. Third-party administrators should provide a report of summary information to the employer.

  • A more recent problem for plan sponsors, but one that has quickly become a primary concern, is protecting a retirement plan from cybersecurity threats. The ERISA Advisory Council, which advises the secretary of the U.S. Department of Labor on functions under the Employee Retirement Income Security Act, on Jan. 24, 2017, published the final report of its working group on cybersecurity protections for benefit plans. The goal of the report is to "provide useful information to plan sponsors, fiduciaries and service providers in evaluating and developing a cybersecurity risk management program for benefit plans."

Plan sponsors and administrators of retirement plans constantly use, share and store sensitive data about plan participants, including Social Security numbers, account balances and salary figures. The first step in protecting this data is to collect and keep it only if there is a documentable legal requirement for the data or a demonstrable business process in which the data is actually used.

After the data that will be stored and shared has been identified, a process must be established to manage cybersecurity risk. Each sponsor should tailor a customized cybersecurity strategy to fit its plan. The ERISA Advisory Council identified the following considerations when establishing processes as part of a cybersecurity strategy:

  1. Implementation and monitoring – Review frequently and update cybersecurity strategies to reflect changes in the cybersecurity risk environment.
  2. Testing and updating – Evaluate the effectiveness of the cybersecurity controls that have been put in place.
  3. Reporting – Consider the level and frequency of reporting to be shared with benefits committees, investment committees or other named fiduciaries.
  4. Training – Train staff with direct or indirect access to retirement plan data.
  5. Controlling access – One of the best ways to reduce cybersecurity risk is to limit data access to individuals who absolutely need it.
  6. Data retention and destruction – Reduce the amount of data stored to reduce the impact of potential cybersecurity breaches.
  7. Third-party risk management – Determine how third parties are using the plan's data and request information on their security procedures.

Overall, the ERISA Advisory Council's report has raised awareness on cybersecurity issues and provided guidance on strategies to mitigate cybersecurity risk. More guidance is needed on legal questions relating to a plan sponsor's responsibility to implement cybersecurity risk mitigation strategies. For more information, the complete report can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.