ERISA-Extra

With the rise in inflation over the past year, American workers are facing increasing financial burdens. Elevated costs of food, utilities, gas and other goods and services added to the ongoing and now accelerating pressures on housing affordability, the struggle to repay student loan debt, and health care expenses are putting a severe strain on household budgets. Given all this, it is apparent that many working Americans are currently having a hard time dealing with a broad range of financial stressors.

The ripple effects of this stress can have an impact on employers. Employees who are under a high level of financial stress may take their problems with them into the workplace. They may demonstrate low levels of engagement and have problems with concentration and focus. Low productivity levels and high rates of employee turnover can result.

Employees who are experiencing financial challenges may feel that they can’t afford to participate in their employer-provided retirement plan or boost their contribution percentages. In addition, a lack of basic financial knowledge among many employees means that they are unable to appreciate the value of retirement planning.

The value of Financial Wellness Programs
Employers are increasingly aware of the benefits that come from focusing on the overall financial well-being of their employees. More employers are looking for ways to combine financial wellness education with plan participant education with the goal of helping their employees develop the financial knowledge that can have a positive impact on their lives.

Recent data from the Employee Benefit Research Institute (EBRI)1 indicates that employers are adding or enhancing financial wellness programs for their employees to achieve a variety of goals. Employers’ top issues to address are:

• Retirement preparedness
• Health care costs
• Financial stress
• High cost of living

The EBRI research found that financial planning education, seminars or webinars, and investment/investing seminars or webinars that provide broad-based financial knowledge, were most likely to be included in financial wellness programs currently offered. Initiatives focused on a single issue were less likely to be included.

Employer concerns
For employers, costs remain a top challenge in offering financial wellness programs. The EBRI research found that 85% of employers surveyed evaluate their financial wellness offerings by creating a cost/benefit analysis based on:

• Employee satisfaction
• Employee attraction/retention
• Employee productivity
• Medical and mental health claims by employees

What the future holds
The EBRI identified the following financial wellness program components that companies most frequently stated that they were planning to offer employees in the near future:

• Tuition reimbursement and/or assistance
• Basic money management tools
• Child/elder caregiving benefits
• Personalized credit/debt counseling, coaching and planning

Encouraging plan participants to become more actively involved in retirement planning and to take the steps that will move them closer to retirement security is an ongoing process. For input and assistance with your participant messaging and engagement efforts, as well as options to employ a financial wellness program, consult your UBS Advisor.

Plan fiduciaries should ensure that policies, procedures, guidelines and standards are in place to properly address plan-related cybersecurity risks. The stakes are high given that there is an estimated $9.3 trillion in retirement assets in the United States and personal data on millions of participants. The US Department of Labor’s Employee Benefits Security Administration (EBSA) has provided guidance on cybersecurity program best practices2 that plan sponsors may find helpful when evaluating service providers responsible for plan-related IT systems and data. The guidance is summarized below.

A formal, well-documented cybersecurity program
Having a program that can identify and assess internal and external risks that potentially pose a threat to the confidentiality, integrity and availability of stored nonpublic information is essential.

The program should enable an organization to:

• Identify the risks to assets, information and systems
• Protect each of the necessary assets, data and systems
• Detect and respond to cybersecurity events
• Recover from the event
• Disclose the event as appropriate
• Restore normal operations and services

Please refer to the EBSA guidance for the full list of all criteria for such a program.

Prudent annual risk assessments
Plan service providers should conduct annual risk assessments in an effort to identify, estimate and prioritize information system risks.

The assessments should:

• Document how identified cybersecurity risks or threats are evaluated and categorized
• Establish criteria for evaluating the confidentiality, integrity and availability of information systems and nonpublic information, and document how existing controls address the identified risks
• Describe how the cybersecurity program will mitigate or accept the risks identified
• Facilitate the revision of controls resulting from changes in technology and emerging threats
• Be kept current to account for changes to information systems, nonpublic information or business operations

A reliable annual third-party audit of security controls
The program should include having a reliable third-party auditor assess the organization’s security controls and provide a clear, unbiased report of any risks, vulnerabilities and weaknesses it finds in the controls. The guidance lists things that EBSA would expect to see as part of its review of an effective audit program.

Clearly defined and assigned information security roles and responsibilities
The cybersecurity program should be managed at the senior executive level and implemented by qualified personnel. The guidance notes that personnel should have sufficient experience and necessary certifications, receive regular updates and training, and pass initial and periodic background checks in order to work on the cybersecurity program.

Strong access control procedures
Access control consists of authentication and authorization. It is a method of guaranteeing that users’ identities are confirmed and confirmation that they have appropriate access to IT systems and data. The EBSA guidance identifies several best security practices for access control, including the following:

• Access to systems, assets and associated facilities is restricted to authorized users, processes, devices, activities and transactions
• Access privileges are limited based on an individual’s role and the need-to-access principle and are reviewed at least every three months
• Employees use unique, complex passwords
• Multifactor authentication is used wherever possible, especially when accessing internal networks from an external network
• Policies, procedures and controls are implemented to monitor the activity of authorized users and detect unauthorized access, use of, or tampering with nonpublic information
• Procedures are implemented to ensure that sensitive information about a participant or beneficiary in the records of the service provider matches the information that the plan maintains about the participant
• The identity of the authorized recipient of funds is confirmed

Security reviews and independent security assessments of assets or data secured in a cloud or managed by a third-party service provider
The EBSA cautions that organizations must understand the security posture of a cloud service provider in order to make sound decisions on using the service.

Best practices include:

• Requiring a risk assessment of third-party service providers
• Defining minimum cybersecurity practices for these providers
• Assessing providers periodically based on potential risks
• Ensuring that guidelines and contractual protections address the third-party service provider’s access control and encryption policies and procedures as well as its notification protocol for cybersecurity events

Cybersecurity awareness training
Training sets clear cybersecurity expectations for all employees and educates them to recognize the signs of an attack, help prevent cyber-related incidents and respond to a potential threat. The EBSA notes that identity theft should be considered a key topic of training.

Secure System Development Life Cycle (SDLC) program
A secure SDLC process will ensure that activities such as code review, penetration testing and architecture analysis are an integral part of the system development effort. The guidance includes various best practices for this undertaking.

Business resiliency program
It is critical that an organization can quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and data.

The core components of an effective business resiliency program include the Business Continuity Plan, Disaster Recovery Plan and Incident Response Plan.

The EBSA notes that an effective business resiliency program should, among other things, define the internal processes for responding to an event or disaster and define the plan goals. It should also define what the documentation and reporting requirements are when an event occurs, and define and describe the roles, responsibilities and authority levels of involved personnel. Importantly, an effective program should also describe internal and external communications and information sharing, including protocols to notify the plan sponsor and affected users, if needed.

Encryption of sensitive data
An effective data encryption system should implement current, prudent standards for encryption keys, message authentication, and hashing to protect the confidentiality and integrity of the data at rest or in transit.

Strong technical controls implementing best security practices

Best security practices for technical security include:

• Hardware, software and firmware models and versions that are kept up to date
• Vendor-supported firewalls, intrusion detection and prevention appliances/tools
• Updated antivirus software and routine patch management
• Network segregation, system hardening and routine data backup

Responsiveness to cybersecurity incidents or breaches

This involves action that should be taken to protect the plan and its participants when a cybersecurity breach or incident occurs. Steps include:

• Informing law enforcement
• Notifying the appropriate insurer
• Investigating the incident
• Giving impacted plans and participants the information necessary to prevent and reduce injury
• Honoring any legal or contractual obligations with respect to the breach
• Fixing the problem that caused the breach to prevent its recurrence

These best practices are detailed and complex. The bottom line is that with so much at stake, it is absolutely critical that all parties working in the retirement and investment management arenas bring an intense and focused commitment to protecting plan assets and participant information.

Federal legislation signed into law on December 29, 2022 contains several plan-related provisions of importance to plan sponsors. The legislation, known as the SECURE 2.0 Act of 2022,3 will affect plan administration and compliance and offers several opportunities to enhance plan features that plan sponsors may want to consider.

Auto enrollment and escalation
Section 101 of SECURE 2.0 requires new 401(k) and 403(b) retirement plans established after December 29, 2022 to automatically enroll eligible employees at a deferral rate of at least 3% but not more than 10%, with employees having the ability to opt out or change their deferral rate. Plans must automatically increase the deferral percentage by 1% annually up to at least 10%, but capped at 15%. Section 101 is effective for plan years beginning after December 31, 2024.

Plans established before December 29, 2022, SIMPLE plans, and governmental and church plans are excluded. In addition, auto enrollment is not required for the first three years of a new business or for small businesses with 10 or fewer employees.

Safe harbor corrections
The new law provides a safe harbor grace period for penalty-free corrections of reasonable errors made by a plan sponsor in administering auto enrollment and auto escalation features. The grace period is nine and a half months after the end of the plan year in which the errors occurred. Plan sponsors are required to provide notice to affected employees and provide employees with any matching contributions that should have been made. This provision is effective for errors that occur after December 31, 2023.

Financial incentives for plan contributions
Employers may offer employees small financial incentives —for example, low-dollar gift cards—to participate in their 401(k) or 403(b) plan. However, these incentives cannot be funded by the plan’s assets. This option is available for plan years beginning after December 29, 2022.

Catch-up contribution limits for participants ages 60 – 63
For tax years beginning after December 31, 2024, plans may allow participants ages 60 to 63 to make catch-up contributions up to the greater of $10,000 ($5,000 for SIMPLE plans) or 50% more than the regular catch-up amount in 2024 (2025 for SIMPLE plans). The dollar amounts are to be inflation-indexed for years after 2025.

Roth catch-up contributions
For tax years beginning after December 31, 2023, catch-up contributions to qualified retirement plans must be made on a Roth basis if a participant’s compensation from the plan sponsor exceeded $145,000 (indexed after 2024) during the prior year.

Penalty-free withdrawals
The new law allows plans to offer participants additional types of distributions that are free from the 10% early withdrawal penalty, as follows:

• Starting in 2024, plans may allow one distribution per year of up to $1,000 for purposes of meeting a participant’s unforeseeable or immediate financial needs relating to necessary personal or family emergency expenses. Plan administrators may rely on the participant’s self-certification of eligibility for the distribution. The participant has the option of repaying the distribution within three years. The participant may not take other emergency distributions during this three-year period unless the initial distribution is fully repaid or the amount contributed by the participant after the distribution is at least as much as the amount not repaid
• Starting in 2024, plans may permit participants to withdraw the lesser of $10,000, indexed for inflation, or 50% of their vested account balance if they self-certify that they are a victim of domestic abuse. Participants may repay the withdrawn money over three years
• After December 29, 2022, plans may offer distributions to certain terminally ill employees
• Plans may distribute up to $2,500 per year toward a participant’s payment of certain long-term care insurance premiums. This provision is effective after December 29, 2025

Plans may offer distributions of up to $22,000 for participants who are affected by federally declared disasters, retroactive to disasters occurring on or after January 26, 2021. Distributions are included in income over three years and may be repaid to a tax-advantaged retirement account. Additionally, amounts distributed prior to the disaster to purchase a home can be recontributed, and an employer is permitted to provide for a larger amount to be borrowed from a plan by affected individuals (100% up to $100,000), and for additional time (one-year extension) for repayment of plan loans owed by affected individuals.

Emergency savings accounts
SECURE 2.0 allows employers to offer non-highly compensated employees emergency savings accounts linked to individual account retirement plans. Employers may automatically enroll employees in these accounts at no more than 3% of their salary. Employee contributions are capped at a maximum of $2,500 (indexed) or a lower amount set by the employer, with contributions made on a Roth (after-tax) basis. If the employer makes matching contributions under the plan, the employer must match amounts contributed to the emergency savings account at the same rate as regular participant deferrals.

One tax-free, penalty-free distribution per calendar month is permitted, and no distribution fees or charges can apply to the first four distributions received during a plan year. Employees who leave their current employer can opt to roll over their emergency savings account into their plan’s designated Roth account (if they have one) or IRA or, alternatively, take a cash distribution. This provision is effective for plan years beginning after December 31, 2023.

Employer match for student loan payments
For plan years beginning after December 31, 2023, the SECURE 2.0 Act allows employers to make matching contributions under a 401(k) plan, 403(b) plan, governmental 457(b) plan or SIMPLE IRA for qualified student loan payments. The match must be at the same rate as matching contributions on elective deferrals. Plans can opt to apply the ADP test separately to employees who receive matching contributions for qualified student loan payments. Plans may rely on participant self-certifications of qualified student loan payments made.

Required Minimum Distributions
The Required Minimum Distribution (RMD) age increases from age 72 to age 73 starting in 2023, and to age 75 starting in 2033. In addition, the penalty for failure to take an RMD is reduced from 50% to 25% of the amount by which the distribution is short of the required amount, effective for tax years beginning after December 29, 2022. The penalty is reduced to 10% if the failure is corrected during a specified correction window.

In another RMD change, defined contribution plan participants will not have to take minimum distributions from their plan’s designated Roth account during their lifetimes. This change is effective for tax years beginning after December 31, 2023. Note, however, that 2023 RMDs for participants with a required beginning date of April 1, 2024 will still have to be made.

Involuntary cash-out limit
Currently, employers may transfer former employees’ retirement accounts from a workplace retirement plan into an IRA if their balances are between $1,000 and $5,000. The new law increases the limit from $5,000 to $7,000, effective for distributions made after December 31, 2023.

Improved eligibility for part-time workers
Effective for plan years beginning after December 31, 2024, 401(k) plans must shorten the eligibility period for participation by part-time workers from at least 500 hours of service during three consecutive 12-month periods to at least 500 hours of service during two consecutive 12-month periods.

Plan sponsors who want more information on how the changes ushered in by SECURE 2.0 could affect their plans should contact their tax or legal advisor.