<!-- Swiftype Variables -->

Defined Contribution

Cybersecurity, big data headline P&I’s defined contribution conference

Data dominated discussions and debates at the annual Pensions & Investments West Coast Defined Contribution Conference, held Oct. 8-10 in San Diego, as experts counseled sponsors on how to collect it, analyze it and, most importantly, protect it.

"There is a lot out there that we should be worried about," said Wendy Young Carter, the Glen Allen, Va.-based vice president and defined contribution director for The Segal Group, at a cybersecurity panel on Oct. 9.

"There's no way to insure that systems are not infected," said Jesse J. Greene Jr., senior fellow at the Richard Paul Richman Center for Business, Law and Public Policy at Columbia University, New York. Sponsors "need to be constantly vigilant."

Mr. Greene said the vigilance must be applied to human behavior as well as technical expertise. Improving password management, instructing employees on proper email use and guarding against intentional cybersecurity breaches are among key issues affecting sponsors, said Mr. Greene, who is also a director on the board at Caterpillar Inc., Deerfield, Ill.

He recommended that sponsors examine what data assets are vulnerable, develop a defense plan for major categories of these data assets and conduct rigorous training for employees on cybersecurity threats. "Technology may eventually reduce the risk but it won't eliminate it," he said.

David J. Kalat, a Chicago-based director of the Berkeley Research Group, warned sponsors of an "overreliance on technology" because "users are the primary point of weakness."

Poor password choice, failure to change default passwords, reusing passwords, sharing passwords and clicking on unknown links in emails are among the human errors that increase the vulnerability to cyberattacks. "We are our own worst enemies," said Mr. Kalat, who is a computer forensic investigator. The best technological solutions and controls "mean nothing" if users fail to comply, he added.

Among major technology weaknesses, Mr. Kalat cited failing to install critical software patches, failing to detect malware and using improper encryption.

And although cyber insurance is available, the "lack of stable long-tern actuarial data" make this a challenge to insurers to price the policies as well as sponsors to buy it, he said. Mr. Kalat contrasted the environment of cyberinsurance to that of fire insurance. The former has "an unusual risk profile," he said. "Fires don't think up new ways to burn down your building."

Attorney Michael E. Slipsky said one way to protect data from a cyberattack is to limit data collection and delete what isn't necessary. "Less is more," said Mr. Slipsky, a partner at Poyner Spruill LLP, Raleigh, N.C. "Use plan participant data solely to provide services."

"Often the weakest link in a data system is the third party," said Mr. Slipsky. "Vet the service provider before you ever get to the contract." Sponsors must also vet subcontractors, he said,

When managed properly and protected carefully, data can play an important role in making DC plans more efficient and effective, said speakers during an Oct. 9 panel discussion, "Tackling Big Data On Your Own Plan."

Consultant Liana Magner pointed out that managed accounts, for example, can incorporatedata ranging from participants' ages and account balances to zip codes and external assets to improve outcomes.

Sponsors can use big data "to inform investment structure," said Ms. Magner, a Boston-based partner and U.S. defined contribution investment leader for Mercer LLC. For example, big data can help sponsors determine how many participants are investing in only a single investment option, or investing in options with overlapping styles and strategies, or rarely adjusting their asset allocations.

Sponsors using big data must first decide how they want to use it; will participants care about the findings; and whether certain data analysis will be worth the time, cost and resources, said Jose L. Bustamante, the Albuquerque, N.M.-based manager, U.S. retirement programs for Magna International Inc.

"Is all the information necessary?" said Mr. Bustamante, adding that sponsors must determine if they want to analyze data for all participants or for specific groups. They also must be sure about what results are statistically significant measurements defining success or failure.

Meir Statman, the Oct. 9 keynote speaker, challenged the use of corporate matches — a long-held DC plan strategy to encourage greater savings.

Sponsors should make corporate contributions "unconditional on employee contributions," said Mr. Statman, professor of finance at the Leavey School of Business, Santa Clara University, arguing that corporate matches are of little help to low-salaried employees. "Matching penalizes the poor."

When asked during a brief question-and-answer period following his speech, Mr. Statman reaffirmed his distaste for this plan design. "The notion of a match is a stupid notion," he said.

Mr. Statman said the trend of employers moving to defined contribution plans from defined benefit plans has shifted investing risk to workers, and it also has enabled employers to reduce their contributions to retirement plans. The average DC employer contribution is about 4% of participants' pay, but the DB contribution has been basically double that amount, he said.

However, Mr. Statman said more DB plans isn't the answer. "I don't advocate a return to defined benefit plans," he said. A combination of Social Security and a DC plan is better for participantsbecause the former provides downside protection, while the latter provides upside potential, he explained.

Among his suggestions for improving the DC system, Mr. Statman said plans should move away from revenue sharing to a system in which administrative costs are paid directly and equally by each participant. He also advocated ending the 10% penalty on participants who withdraw their money before age 59½.