Last year, our managing principal wrote a post titled: 2018 – The Year of Cybersecurity. I am wondering if we should revisit the title. Something like: The Next Decade of Data Breaches? I say this in gest to make the point that the review of service providers is shifting, and cybersecurity wasn’t just an issue in 2018. Cybersecurity and digital review are becoming a new component of overall service provider review – not one that can be ignored. This post is the first of two, both of which will focus on monitoring service providers in a digital era. First, we dive into the criteria for monitoring service providers and their digital interfaces. Second, we further review action steps for the selection and monitoring of service providers as it relates to cybersecurity protocols.
Digital Fiduciaries
Digital fiduciaries[1] arguably have a responsibility under ERISA to monitor the online interfaces made available to participants in the retirement plan. Except for mega-retirement plans that might be creating their benefit websites in-house, most web interfaces are provided by a third party recordkeeper or other service provider to the plan. If that is the case for your plan, the fiduciaries may want to include digital criteria in the review of service providers. This post will provide specific criteria to request from service providers.
What Digital Criteria Should Be Reviewed?
For the recordkeeper, third party administrator, or other service provider that is creating and maintaining the participant-facing website, consider asking questions during the initial selection process that focus on the set-up of the participant-facing materials and websites.
- Usability for the participant is critical. A recent study found that several commonly used terms in the financial services industry don’t make sense to their intended audience. For example, 63% of millennials in the study didn’t understand the term “plan participant.”[2] When reviewing the website and communication set-up, start by reviewing all participant-facing screens. You will need to request a sample log-in and sample electronic communications from the service provider. Then, review and ask yourselves: Is this easily understood by our average employee? To achieve this intended goal, be sure the service provider is avoiding financial and legal jargon as much as possible.
- The colors, placements on the screen, shapes, and sizes can influence the decisions made by an employee. It is not a requirement that your plan customizes interfaces from the recordkeeper. In many cases, you might not be able to make changes given the size of the plan. However, to determine if the plan will be able to achieve any level of customization, ask the service provider specific questions; broad questions allow for general responses. Example questions may include:
- Can digital communications be customized with respect to font, color, and graphics/logos?
- Can digital communications be sent at a specific time of the day that will best catch the attention of this particular participant population?
- Can participant-facing webpages be customized with respect to font, color, and graphics/logos?
- For data/information that appears on the website in a specified order (or in a series of webpages in a specified order), can the data/information on the pages be re-grouped or re-ordered? For example, if there are a series of pages that assist the participant in making an investment-related decision, can that information be re-ordered from the default setting?
Once the initial assessment has been made, and the vendor is selected, if the service provider is providing electronic interfaces to your participants, on an ongoing basis, consider a periodic review of the following:
- Web demo or screen shots of all participant-facing screens, including but not limited to any screens utilized to assist participants with making investment selections
- Online tools made available to participants
- Electronic communications or notices
Document the review of these materials to demonstrate the committee’s prudent monitoring of the service provider. If any deficiencies are found during the review and any corrections are requested from the service provider, document the requests and associated corrections. While this is only one component of the service provider review process, this digital component continues to become increasingly more important as more retirement plan activities “go digital.” To learn more about conducting a service provider search or ongoing monitoring of a service provider, and how to include digital criteria, contact a Multnomah Group consultant.
Notes:
[1] Shlomo Benartzi, The Digital Fiduciary, Overseeing Retirement Plans in the Digital Age, available here: https://forprofessionals.voya.com/sites/forprofessionals.voya.com/files/3052995_DigitalFiduciary_Paper_FINAL.PDF.
[2] Empower Institute, Boosting the Effectiveness of Retirement Plan Communications, January 2019, available at: https://docs.empower-retirement.com/Empower/institute/Effective-Communication.pdf.
Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Multnomah Group does not provide legal or tax advice. Any views expressed herein are those of the author(s) and not necessarily those of Multnomah Group or Multnomah Group’s clients.