Client Service April 17, 2019

Your Clients’ Cybersecurity Concerns

Retirement plan advisers can help plan sponsor clients know their providers are taking the right steps to protect participant data—without exposing information hackers can find.
Reported by

Art by Lily Padula


As more cybersecurity attacks are reported about in the media, it is an issue at the top of many minds in the retirement industry.

In 2018, the ERISA Advisory Council asked the Department of Labor (DOL) to provide guidance on how plan sponsors should evaluate the cybersecurity risks they face and to require them to be familiar with the various security frameworks used to protect data, as well as to build a cybersecurity process. Earlier this year, lawmakers sent a letter to the Government Accountability Office (GAO) asking it to examine cybersecurity in the U.S. retirement system. The letter identifies 10 questions the lawmakers would like the GAO to answer, following its examination.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

Even as the issue evolves, there are some practical steps retirement plan providers are taking to relieve retirement plan sponsors’ worries about the risk of cybersecurity threats to participant accounts. According to Wendy Carter, vice president and defined contribution director in Segal’s Washington, D.C. office, and a vice-chair of the Data Security Oversight Board for The SPARK Institute, all companies have insurance to make participants whole if their account balances are accessed and taken.

Allison Itami, principal with Groom Law Group in Washington, D.C., and co-author of a white paper issued by the Pension Research Council and The Wharton School, University of Pennsylvania, says cybersecurity insurance is an evolving area—a growth opportunity for insurers. Plan sponsors’ errors and omissions (E&O) insurance provider may have it, but they may need to find a specialist broker to help find it.

Plan advisers can help in this area as well. But, mainly advisers help plan sponsors with cybersecurity concerns by including questions about cybersecurity practices in requests for proposals (RFPs) issued to providers. However, Carter notes, providers are concerned about providing information about their cybersecurity practices, and that their efforts would be for naught because hackers could get access to the information they reveal.

Framework to help evaluate cybersecurity processes of providers

These concerns are why The SPARK Institute came up with a framework for cybersecurity disclosure by plan providers. It includes 16 identified critical data security control objectives, and requires plan providers to use an independent third-party auditor. According to the white paper co-authored by Itami, each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.

Those 16 control objectives are:

  • Risk assessment and treatment;
  • Security policy;
  • Organizational security;
  • Asset management;
  • Human resource security;
  • Physical and environmental security;
  • Communications and operations management;
  • Access control;
  • Information systems acquisition development;
  • Incident and communications management;
  • Business resiliency;
  • Compliance;
  • Mobile;
  • Encryption;
  • Supplier risk; and
  • Cloud security.

Itami explains that the framework is trying to reach the goal of providing a format for plan sponsors to look at different providers and compare apples to apples. “A plan sponsor can take the approach of asking the 16 questions, but that is not efficient, and they might run into resistance about giving detailed information that could be used by hackers,” she says.

With the SPARK framework, an outside auditor will write a report analyzing how recordkeepers address the 16 controls. “They will lay out a provider’s process without going into details. For example, the report may say, Provider A uses X encryption,” Itami says.

She adds that the report shows a provider has something in place and whether it looks rigorous or not.

Carter says the auditor’s report will also identify whether any issues have come up with a provider, whether it was a significant risk and whether it has been corrected.

At the time the framework was being developed, Mike Volo, senior partner at Cammack Retirement Group in Wellesley, Massachusetts, and a participant on SPARK’s Data Security Oversight Board, said, “We are experts in retirement plans and investments, not in data security. I think with this Common Certification Criteria, as we do RFP searches, having the certification will be a requirement. It will streamline our RFP process.”

Itami says in RFPs, advisers can ask prospective providers whether they have had an independent audit of cyber controls and to see the report. If they don’t have one, the adviser can ask for one.

When an adviser is asked about cybersecurity controls

Segal has an investment advisory business and, according to Carter, most of what it sees in RFPs regarding cybersecurity is a request for its data intake and management protocols.

While the SPARK solution is for recordkeepers, advisers concerned about revealing confidential business practices may consider a similar audit report to provide plan sponsors.

Carter adds that as part of its cybersecurity best practices, Segal’s investment advisory business doesn’t maintain any participant information.

A post from Joseph J. Lazzarotti, a principal at law firm Jackson Lewis, says B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, Social Security numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997.

He noted that ERISA includes specific record retention requirements, but he cited a 2016 ERISA Advisory Council report of considerations for the DOL, which said plan sponsors and service providers should:

  • Retain only the data that is needed; if certain data elements can be redacted, remove them;
  • Maintain an inventory of records that are retained regardless of format, and where to find them;
  • Outline a clear process for moving records, and track location and inventory during the move; and
  • Delete records that are no longer needed; confirm service providers have done so, as applicable.
Practice Management April 12, 2019

How To Make 529 Plan Service Pay Off

Offering advice about 529 college savings plans can deepen client relationships, though such services are not usually big revenue drivers on their own.
Reported by

Art by Janice Chang


Generally speaking, 529 college savings programs are either directly sold through state-sponsored investment providers or sold through advisers at broker/dealers working for a commission earned on either an A or a C share, says Glenn Sulzer, senior analyst with Wolters Kluwer Legal & Regulatory U.S. in Riverwoods, Illinois.

“The revenue opportunities for retirement plan professionals may be limited to broker/dealers and to institutional providers, rather than registered investment providers (RIAs),” Sulzer says.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

However, a number of RIA retirement plan advisers have added 529 plans to the services they provide in order to reinforce their relationship with sponsors and participants. These RIAs are compensated for the advice they give on 529 plans either through their one-on-one advice fee or perhaps through a financial wellness fee.

“Adding 529s can add additional depth to retirement plan advisers’ engagement with both the sponsor and participants,” says Peg Creonte, senior vice president of business development for Ascensus’ government savings division in Newtown, Massachusetts. “Saving for college is a priority for families, and with their tax advantages, 529 plans can be a valuable tool.”

However, before adding them to their practice, advisers should be aware that, in all likelihood, they will need to educate participants about what a 529 plan is, says Russ Tipper, senior vice president, Capital Group, home of American Funds, in Los Angeles. Pointing to a survey that Edward Jones conducted last May, he notes that only 29% of Americans correctly identified 529s as an education savings tool.

“Clearly, there is a lack of awareness among families, who don’t even know that 529s exist,” Creonte concurs. “We have a long way to go.”

This prompted Ascensus to partner with many of the states that sponsor 529s, as well as the investment firms that offer these plans, to launch a 529 awareness campaign on PBS this year, Creonte says.

Learning From 529 Plan Leaders

Richard Brothers Financial Advisors of South Portland, Maine, has offered 529 plans to its retirement plan participants for the past 20 years and has seen as many as 70% of participants invest in them, says Randy Richard, president. The practice includes the offering as part of the fee it charges for advice, he says. For parents, he says, “the 529 discussion is really important and something I feel passionate about.”

Essex Financial, an RIA in Essex, Connecticut, got into the 529 game eight years ago. James Sullivan, vice president, says advising on the plans, for which he increases his fee by 50 basis points, “is more of a value-add than a true revenue generator. I do it to help solidify the relationship with the plan and the participants rather than as opportunistic cross-selling.”

Matt Twedt, president of intellicents in Albert Lea, Minnesota, also believes that offering 529 plan-related advice, as well as other options, strengthens his relationship with sponsors and participants alike. “I look at working with participants holistically,” he says. “If you are adding all of these extra touches, then all of a sudden, they are not just working with you on the 401(k) but on education planning, perhaps a Roth IRA and/or life insurance—once you get into two to three areas of a person’s financial planning, you are solidifying that relationship.”

529 plans offer many benefits to participants, not least of which is a savings plan that locks in money for a child’s college education, says Tom Rowley, director of retirement and education strategies at Invesco in Houston. Before their introduction in 1996, he was saving for his own children’s education in a separate savings account that, at times, the family dipped into for emergencies.

“Many states offer a tax benefit, either as a tax deduction or a credit,” Creonte says. “Earnings that grow on the money invested in the account are not taxed, and when you take the money out for qualified education expenses, it is not taxed. Furthermore, the account is only counted as a parent asset, so it has very little impact on financial aid.”

And some 529 plans have tools built in that permit families to ask relatives or friends to contribute to the plan instead of giving a birthday, holiday or other present, she notes.

For grandparents who want to contribute to their grandchildren’s education, there are estate planning benefits, says Jeff Winn, managing partner at International Assets Advisory in Orlando, Florida. “Every dollar that goes into the 529 is viewed as a gift,” he says. “An individual can contribute up to $15,000 a year into a 529, so two grandparents could contribute $30,000 without incurring any gift tax up to five years for a total of $150,000, and they could prefund it by taking that money immediately out of their taxable estate. This is a great way to reduce estate taxes and leave a legacy.”

529s also offer a lot of flexibility in that if the child for whom the account was set up decides not to go to college, a different beneficiary can be named—even a grandchild, Twedt notes. And should there be no need at all to fund a college education, the funds can be accessed, although there will be taxes and penalties incurred, he notes.

In addition, parents retain ownership of the assets in the plan, Sullivan points out. “The 18-year-old cannot take the money out and buy a motorcycle,” he says.

Considerations When Recommending a 529

When recommending a 529 to individuals, the first thing that intellicents does is check to see if the state in which they reside offers a tax benefit for 529 contributions, Twedt says.

Before advisers add 529 plan services to their practice, Rowely says, “they should know and understand the different between in state and out of state plans, the tax benefits, fees and expenses, and administration and payroll issues, and how they affect financial aid eligibility. If you have this covered, you’ll have a pretty good understanding of 529 plans.”

For registered reps at broker/dealers selling products within 529 plans, in March, FINRA launched a 529 Share Class Initiative to ensure they are selling the right share class based on the age of the beneficiary and the number of years until the funds are needed to pay for the beneficiary’s qualified education expenses.

With A shares paying an upfront load but lower annual fees thereafter, this share class may make sense for parents whose savings time horizon is longer than seven years, Twedt says. “With that said, if you have a middle schooler who will use the funds in five to six years, the 5% up front sales load may not make sense, and it might be better to go into a higher fee with the C share.”

For advisers at broker/dealers selling 529s, it is important that they select a share class “that meets the client’s goals, that the commissions are disclosed, that the investment managers’ fees are reasonable,” says Mark Johannessen, a principal at Sullivan Bruyette Speros & Blayney, a financial planning firm in McLean, Virginia. “If you take a fiduciary approach by putting all of these things in place, follow through in subsequent meetings and document your process, you will meet FINRA’s standards.”

To offer more flexibility, Invesco has a 529 C share that converts every five years to an A share, Rowley says. A report from Strategic Insight in January revealed that there are 19 other investment firms that also offer convertible C shares.

American Funds is one of the firms that offers this option. “We offer choice around share classes that the adviser can leverage based on a client’s specific situation,” Tipper says. “It’s more important than ever for financial advisers to add value to their clients and discuss the options that are available to them.”

«