According to Bloomberg Law, many small U.S. retirement plan sponsors are not evaluating the tech firms they’ve hired to protect user data even with recent Department of Labor (DOL) guidance. Benefits and executive compensation partner Sarah Bassler Millar discusses the impact of the DOL’s increased cybersecurity enforcement on plan fiduciaries.
For smaller plans that understand their newly redefined fiduciary responsibilities, their size may exclude them exercising it, noted Bassler Millar. “To what extent can smaller or mid-sized employers effectively monitor vendors when the vendors are so big?” she said. “These plans have a lot less negotiating power with big recordkeepers, so how can they effectively fulfill their fiduciary responsibilities when, for example, contract language may not be negotiable?”
The publication explained that it might not matter that recordkeepers are ramping up their cybersecurity practices if smaller employers who are responsible for their participants’ data and information can’t access the information they need to document it. Bassler Millar said she tells clients to prioritize that documentation, highlighting the need for proof in their requests for information and in regular communications with their vendors.
“I think, at a minimum, it’s important to ask the questions,” Bassler Millar stated. “We’ve seen this story play out in other areas in the past; when lots of different employers are asking the same questions, it moves the needle for these big recordkeeping firms.”