• Who We Are
  • • • Our Story
      • Our Team
      • Our Process
      • Awards & Recognition
      • Corporate Social Responsibility
• What We Do
  • • • Retirement Plan Consulting
        • Employee Engagement
        • Fiduciary Support
        • Investments
      • Wealth Management Services
        • Financial Planning
        • Wealth Management
      • Business Planning
        • Succession Planning
        • Key Person Protection
      • Insurance Solutions
• Resources
  • • • News & Insights
      • Join Our Team
      • Disclosures

• Contact Us
• Client Portal

• Who We Are
  • • • Our Story
      • Our Team
      • Our Process
      • Awards & Recognition
      • Corporate Social Responsibility
• What We Do
  • • • Retirement Plan Consulting
        • Employee Engagement
        • Fiduciary Support
        • Investments
      • Wealth Management Services
        • Financial Planning
        • Wealth Management
      • Business Planning
        • Succession Planning
        • Key Person Protection
      • Insurance Solutions
• Resources
  • • • News & Insights
      • Join Our Team
      • Disclosures

• Contact Us
• Client Portal

Important Update: DOL Weighs in on Forfeiture Lawsuits

After recent legal challenges around how 401(k) plan forfeitures are used, the Department of Labor (DOL) has offered its opinion, and it’s a positive sign for plan sponsors.

In a well-known case involving HP Inc., the plaintiffs argued that HP misused forfeitures by applying them to reduce employer contributions, instead of reallocating them to participants or covering plan expenses.

Although the court dismissed the case, it acknowledged that the legal theory was new and allowed the plaintiffs a chance to revise and refile their argument. Still, the judge initially found their claims too broad and lacking support from existing law.

What stood out was the DOL’s input in an amicus brief during the appeal:

– The DOL pointed to the IRS’s long-standing approval of using forfeitures to reduce employer contributions.

– It also stated that while deciding how to use forfeitures is a fiduciary responsibility, using them to offset employer contributions does not automatically violate fiduciary duties like loyalty or prudence.

What This Means for Plan Sponsors

– The IRS currently allows forfeitures to be used in several ways: reducing employer contributions, covering plan expenses, or reallocating to participants.

– The DOL’s comments support the legality of using forfeitures to reduce employer contributions, as long as it aligns with the plan document and is appropriately handled.

– Even so, plan sponsors should regularly review their plan documents and carefully document any fiduciary decisions related to forfeiture use.

As legal interpretations continue to evolve, this guidance from the DOL provides valuable clarity and reassurance for plan sponsors. By ensuring forfeiture practices are consistent with plan documents and fiduciary duties are well-documented, sponsors can move forward with greater confidence and compliance.

The Department of Labor Reiterates Focus on Cybersecurity

The US Department of Labor (DOL) issued a press release on September 6, 2024, reminding ERISA plan fiduciaries that it considers cybersecurity to be an area of ‘great concern,’ emphasizing the DOL will continue to investigate potential cybersecurity-related ERISA violations. The press release accompanied guidance which updated the DOL’s 2021 cybersecurity guidance; most significantly, it clarified the 2024 updates apply to all types of ERISA plans, including health and welfare plans.

Background

The DOL issued three pieces of guidance in 2021 intended to address the intersection of cybersecurity and ERISA-covered plans. Each piece of guidance was addressed to a different audience:

1. Online Security Tips was addressed to ERISA plan participants.
2. Tips for Hiring a Service Provider with Strong Cybersecurity Practices (Hiring Tips) was addressed to ERISA plan fiduciaries.
3. Cybersecurity Program Best Practices (Best Practices) was addressed to ERISA plan vendors and fiduciaries selecting and monitoring such vendors.

The 2021 guidance was framed only in terms of retirement plans, but it could be read to cover all ERISA plans.

2024 Updates

Outside of clarifying that the DOL’s cybersecurity guidance applies to all ERISA plans – retirement plans and health and welfare plans alike – the 2024 updates were limited:

• In Online Security Tips, the 2024 update tweaked the frequency with which it recommends participants update their passwords (changing it from 120 days to annually), clarified participants should not use common passwords (as opposed to stating they should not use dictionary words), and suggested participants favor longer passwords instead of more frequent resets.

• In Hiring Tips, the 2024 update clarified ERISA plan fiduciaries should ensure their vendors’ insurance coverage covers cybersecurity breaches and incidents involving the plan.

• In Best Practices, the 2024 update indicated ERISA plan vendors who follow these best practices should adopt certain multifactor authentication processes, as well as notify participants of unauthorized acquisition of their personal data without unreasonable delay.

The Bottom Line

Despite the limited scope of the 2024 updates, the takeaway is clear: the DOL continues to see cybersecurity as a top priority, and all ERISA plan fiduciaries (including those overseeing health and welfare plans) should be prepared for the DOL to investigate the steps taken to mitigate their plans’ cybersecurity risks.

In light of this clear message from the DOL, fiduciaries and service providers to ERISA plans (that have access to data and or assets) may want to consider evaluating the plan’s cybersecurity regime, such as through a cybersecurity self-audit, adoption of a cybersecurity policy, or through other improvements to the cybersecurity and or monitoring processes.

For group health plans, this can be done in conjunction with the self-audits that must be conducted to develop those policies and procedures required under the HIPAA Privacy and Security Rules. Final Rules issued under HIPAA earlier this year require group health plans to update their HIPAA privacy policies and procedures and provide associated workforce training by December 22, 2024.

If you need assistance with such process improvements, or have any questions about the impact of this guidance or fiduciary oversight of cybersecurity risk, please contact the Shepherd Financial team.