Skip to main content

You are here


Plan Sponsors Should 'Definitely' Have Cyber Liability Insurance: Lisa Gomez

Practice Management

At the recent PSCA national conference, ARA CEO Brian Graff and EBSA Assistant Secretary Lisa M. Gomez discussed a wide range of topics, including the many misunderstandings about cyber liability insurance (which could be a huge fiduciary failure) and the ESG rule. 
This session follows Graff and Gomez's previous conversation on an episode of D.C. Pensions Geeks.

Gomez's Path to Washington

For Gomez, taking on the EBSA role was an opportunity to come to Washington as a true outsider with a fresh perspective. 
"As someone who had spent their whole career representing plan sponsors, this was going to be a new perspective, and I'm hoping that I'm bringing that to the agency," she said.
Discussions quickly went from Gomez's journey to Washington to the SEC's proposed adoption of swing pricing and a "hard close" for transacting fund shares. Graff asked Gomez if the DOL has expressed concerns to the SEC about the proposal from a fiduciary standpoint. 

Gomez said the proposed adoption had "yet to be brought to her desk." Still, when such things occur, she alerts other agencies (through a working relationship) about the effects of such measures. 
"We can, at least, bring that into their radar so that they know that it's a potential issue for them," Gomez said.

Missing Participants

Graff then introduced the topic of missing participants and how it can be a sour subject for many plan sponsors. 
"It's this constant struggle for bigger plans, but smaller plans too. Where you've got participants with account balances, and they're not available, you don't know where they are and can't find them for various reasons," Graff said. 
Gomez, who began working at the agency on Oct. 11, 2022, discussed the amount of homework needed to start on a nationa; database, such as the Retirement Savings Lost and Found, while clarifying that there is a lack of resources available to work on a project of that size and scope quickly.
EBSA began working on the database on Gomez's start date, but as the Dec. 29, 2024 deadline approaches, the agency may need to put out a "bake sale table" in front of the Francis Perkins building to get a special appropriation for the task, she joked.

Cybersecurity and Cyber Liability Insurance

When asked about other helpful agencies, Gomez recommended the Investment Advisory Council—which has accountants, employers, employee organizations, actuaries and insurers represented. 
"Every year, the Advisory Council undertakes certain topics that they're going to look at, and in 2022, they issued a report based on that topic," Gomez explained about the purpose of the council. 
In 2022, the topic was cybersecurity. Gomez recommended Googling "ERISA Advisory Council and Cybersecurity" to find the report. Gomez remarked that many government websites can be hard to navigate, and Google can sometimes be easier. 
Gomez discussed how one Advisory Council report covered cyber liability insurance and how plan sponsors should "definitely" have it for their plans. 
"They also reported on cybersecurity issues as they relate to health benefit plans, but even though it's sort of focused on health benefit plans, there's a lot of general things that are in there that might be helpful," Gomez said. 
Gomez suggested that fiduciaries read the reports in case an auditor examined a plan's amount of liability insurance. 
"There may be something in there. There are these specific cyber liability policies ...Depending on where the breach lies, it could fall under different types of policies."
Gomez stressed that many employers assume that since the company has cyber liability insurance, they'd be covered in a breach. The fine print in the policy notes that it applies only to the company and not the company in its capacity as a plan sponsor—something not obvious to most.
"Looking at these different things and talking with your broker, or whoever you're [dealing] with—make sure that you are protected there."

The ESG Rule

Shifting to the "not controversial" topic of ESG—Gomez explained common misconceptions about the ESG Rule and how some assume it was a mandate (although it was not).
"I got sued by, I think, 25 different states on the rule. So, I'm hoping that's not how that [will continue] going," Gomez joked. 
Referring to the ESG rule—Gomez understood that not everyone would support the rule and could disagree with it, but she wanted to make sure people knew what the rule says and doesn't say. 
When it came to the actual regulatory language, Graff pointed to his interview with Tim Hauser, EBSA's Deputy Assistant Secretary for Program Operations. Hauser explained that the rule has just one reference to ESG that states "a fiduciary may consider ESG if it deems it to be relevant."
"That's it. That's what all the fuss is about, seriously. That's all it says," Graff said.  
Photo Credit to Brandon Diersch.